WO2006001647A1 - Network integrated management system - Google Patents

Network integrated management system Download PDF

Info

Publication number
WO2006001647A1
WO2006001647A1 PCT/KR2005/001959 KR2005001959W WO2006001647A1 WO 2006001647 A1 WO2006001647 A1 WO 2006001647A1 KR 2005001959 W KR2005001959 W KR 2005001959W WO 2006001647 A1 WO2006001647 A1 WO 2006001647A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
module
user
network
server
Prior art date
Application number
PCT/KR2005/001959
Other languages
French (fr)
Inventor
Ki-Tae Kim
Original Assignee
Exers Technologies. Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Exers Technologies. Inc. filed Critical Exers Technologies. Inc.
Publication of WO2006001647A1 publication Critical patent/WO2006001647A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/28Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/04Network management architectures or arrangements
    • H04L41/042Network management architectures or arrangements comprising distributed management centres cooperatively managing the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/40Support for services or applications

Definitions

  • the present invention relates to an integrated network management system that performs 802.Ix protocol- based authentication and security on a network and, more particularly, to an integrated network management system, which can authenticate users who try to gain access to the network, and modify authorization policies, which will be applied to Voice Over Internet Protocol client modules, Virtual Private Network client modules and personal firewall modules installed in user terminals, as authorization policies set in an authentication server for respective users, or dynamically control the network access privileges of users according to the status of particular software installed in user terminals.
  • FIG. 1 is a schematic diagram illustrating an authentication system on a wired/wireless network.
  • FIG. 2 is a view illustrating an authentication process sequence in the authentication system of FIG. 1.
  • the supplicant is an entity that provides the authenticator with a user's authentication information and requests user authentication, an example of which is a wired/wireless terminal that tries to gain access to the network. Access by the supplicant to the network is controlled by the authenticator, and the supplicant and the authenticator are referred to as Port Authentication Entities (PAE) .
  • PEE Port Authentication Entities
  • the initial port status of the authenticator is set to an uncontrolled port status.
  • the supplicant and the authenticator can communicate with each other only through the Extensible Authentication Protocol (EAP) . That is, when authentication information and an authentication request are transferred from the supplicant to the authenticator, EAP Over LAN (EAPOL) or EAP Over Wireless (EAPOW) is used as the protocol.
  • EAPOL EAP Over LAN
  • EAPOW EAP Over Wireless
  • the authenticator transmits the authentication information and the authentication request, which are received from the supplicant, to the authentication server. If the authentication through the authentication server is successful, the authenticator transfers an authentication success message to the supplicant and switches the port of the authenticator to a controlled port status.
  • An example of the authenticator may be one of an access point, a router and a switch.
  • the authenticator terminates only link layer authentication exchange, does not maintain user information, and transmits all requests, which are received from the supplicant, to the authentication server for processing. Meanwhile, authentication exchange is logically carried out between the supplicant and the authentication server.
  • the authenticator serves only as a bridge.
  • the authentication server is an entity that receives a request for supplicant authentication from the authenticator and authenticates the supplicant.
  • the authentication server stores and manages user authentication information in its internal database, or receives user authentication information through communication with an external entity, and then authenticates users.
  • a protocol used between the authentication server and the authenticator is not defined in IEEE 802.Ix, it is recommended that the protocol used in a typical Authentication, Authorization and Accounting (AAA) server be used. Accordingly, the Remote Authentication Dial-In User Service (RADIUS) protocol became a de facto standard in the industry.
  • RADIUS Remote Authentication Dial-In User Service
  • the control of the network access privileges of users can be implemented using the determination of authentication through the internal authentication algorithm of the authentication server, RADIUS attributes transferable through an authentication success message, and Vendor Specific Attributes (VSAs) .
  • VSAs Vendor Specific Attributes
  • the prior art 802.Ix supplicant is mainly composed of an EAPOL-based packet processor and a PAE state machine.
  • a supplicant program installed in a user terminal has wireless network management functions, in addition to the above-described functions.
  • the applicant of the present invention proposes a new integrated network management system that can integrally perform a new type of security, user authentication and privilege management on the basis of the conventional 802.Ix protocol.
  • VoIP Voice over Internet Protocol
  • VPN Virtual Private Network
  • the present invention provides an integrated network management system, including: a user terminal having a predetermined access program, the terminal trying to gain access to a network using the access program; a security management server having at least one of authorization policies, which may be applied to a Voice Over Internet Protocol (VoIP) client module, a Virtual Private Network (VPN) client module and a personal firewall module, for each registered user; and an authentication server for authenticating a user and a user terminal trying to gain access to the network for each user, and transmitting authorization policies, which will be applied to a successfully authenticated user terminal, to the user terminal while operating in conjunction with the security management server; wherein the access program of the user terminal comprises at least one of the VoIP client module, the VPN client module and the personal firewall module; and wherein the access program comprises: an authentication supplicant module for gaining access to an end terminal of a network, transmitting basic user authentication information to the end terminal, and making a request for user authentication, and a security management module for receiving authorization policies,
  • VoIP Voice Over Internet Protocol
  • VPN Virtual Private Network
  • the security management server causes an administrator to previously register the authorization policies for the VoIP client module, the VPN client module and the personal firewall module that will be applied to each user.
  • the security management server stores and updates registration information about particular software while operating in conjunction with an external software management server;
  • the access program of the user terminal further includes a software management module for storing registration information about particular software installed in the user terminal, and the authentication supplicant module transmits the basic authentication information and the registration information stored in the software management module to the authentication server when the authentication is requested;
  • the authentication server authenticates the user using the basic user authentication information, and transmits an authentication success message only when the registration information about the particular software, which is received from the user terminal, is identical to corresponding information of the security management server even if the authentication is successful.
  • a computer readable recording medium stores an access program installed in a predetermined terminal and configured to allow a user to gain access to a network, wherein: the access program comprises at least one of a VoIP client module, a VPN client module and a personal firewall module; and the access program comprises: an authentication supplicant module for transmitting basic user authentication information to an authentication server and making a request for user authentication, and a security management module for modifying authorization policies for corresponding modules using authorization policies for at least one of the VoIP client module, the VPN client module and the personal firewall module, which are received from the authentication server, when the authentication is performed by the authentication supplicant module.
  • the access program further includes a software management module for storing and managing registration information about particular software installed in the user terminal, the authentication supplicant module transmits the registration information about particular software, which is installed in the software management module, to the authentication server, along with the basic authentication information, when making a request for user authentication, and the software management module installs or updates corresponding software when installation and update of particular software is requested by the authentication server.
  • a software management module for storing and managing registration information about particular software installed in the user terminal
  • the authentication supplicant module transmits the registration information about particular software, which is installed in the software management module, to the authentication server, along with the basic authentication information, when making a request for user authentication, and the software management module installs or updates corresponding software when installation and update of particular software is requested by the authentication server.
  • the present invention modifies authorization policies, which will be applied to VoIP client modules, VPN client modules and personal firewall modules installed in user terminals, while performing an authentication procedure for allowing users to gain access to a network, so that the authentication and authorization of user terminals that try to gain access to the network can be performed for respective users in various ways, with the result that it is possible to dynamically limit network access privileges for respective users regardless of the infrastructure of a network. Furthermore, the present invention determines whether virus vaccine programs, Operating System (O/S) patch programs and other specific software have been installed in user terminals or whether programs installed in the user terminals have been updated, at the time of user authentication, and can limit the network access privileges of the user terminals in various ways according to the determination results.
  • O/S Operating System
  • the conventional 802.1x-based supplicant is simply composed of an EAPoL Packet Processor and a supplicant PAE state machine, whereas the integrated network management system of the present invention can additionally perform functions of user authentication, network management, user privilege management and security.
  • FIG. 1 is a configuration diagram illustrating a typical 802.1x-based authentication system on a network
  • FIG. 2 is a flowchart showing the operational sequence of the authentication system of FIG. 1
  • FIG. 3 is a configuration diagram showing a complete integrated network management system according to a first embodiment of the present invention
  • FIG. 4 is a flowchart showing the operational sequence of the system of FIG. 3
  • FIG. 5 is a configuration diagram showing a complete integrated network management system according to a second embodiment of the present invention
  • FIG. 6 is a flowchart showing the operational sequence of the system of FIG. 5
  • FIG. 7 is a configuration diagram showing a complete integrated network management system according to a third embodiment of the present invention.
  • FIG. 3 is a configuration diagram showing a complete integrated network management system according to a first embodiment of the present invention.
  • the construction and operation of the wireless integrated network management system according to the present embodiment are described below with reference to FIGS. 3 and 4.
  • the system according to the present embodiment includes an authentication server 300, a security management server 310, a network end terminal 320 and a user terminal 330.
  • the network end terminal 320 is a terminal located at the end of the network, and it may be an Access Point (AP) , a switch, a router or the like.
  • AP Access Point
  • the user terminal 330 can gain access to the authentication server or the network through the end terminal.
  • an access program 340 for performing functions of user authentication request and network access is installed in the user terminal 330 that serves as a supplicant.
  • the access program 340 according to the present embodiment includes a VoIP client module 350, a VPN client module 352, a personal firewall module 354, an authentication supplicant module 356 and a security management module 358.
  • the basic construction and functions of the VoIP client module 350, the VPN client module 352 and the personal firewall module 354 are the same as those of the conventional ones.
  • authorization policy refers to conditions or references that are set to determine whether to permit access by users, who request access to a network or specific equipment, to the network or corresponding equipment.
  • the authorization policy includes information corresponding to conditions that are previously set for respective users .
  • the end terminal 320 serving as an authenticator transmits a user authentication request signal to the authentication server at the request of the access program of the user terminal 330, or transmits a signal, which is received from the authentication server, to the user terminal.
  • the authentication server 300 operates in conjunction with the security management server 310 and performs a user authentication procedure at the request of the authenticator.
  • the security management server 310 has at least one of an authorization policy for a VoIP client module, an authorization policy for an IPSec-based VPN client module and a security policy for a dynamically controlled personal firewall module, which will be applied for each registered user.
  • the authentication server 300 and the security management server 310 are servers for performing logically different functions, but can be implemented using the same physical system.
  • the operational sequence of the authentication supplicant module 356 of the access program 340 is described with reference to FIG. 4 below.
  • the authentication supplicant module gains access to the authenticator, transmits basic user authentication information, which is received from the user, to the authenticator, and makes a request for user authentication, at step 400.
  • the basic authentication information includes the identification (ID) information and password of the user.
  • the contents of the basic authentication information may vary according to the network or communication protocol.
  • the authenticator transmits the basic authentication information to the authentication server and makes a request for user authentication at step 410.
  • the authenticator receives an authentication result message from the authentication server and transfers the message to the user terminal at step 420.
  • the authentication server requests an authorization policy for a VoIP client module, an authorization policy for an IPSec-based VPN client module and a security policy for a dynamically controlled personal firewall module, which will be applied to a corresponding user, from the security management server at step 430.
  • the security management server transmits corresponding information to the authentication server at the request of the authentication server at step 440.
  • the authentication server transfers the received information to the user terminal via the authenticator at step 450.
  • the security management module 358 modifies authorization policies for corresponding modules within the user terminal, that is, the VoIP client module, the VPN module and the personal firewall module, using the information received from the authentication server through the authentication supplicant module at step 460.
  • the user terminal who tries to gain access to the network is authenticated by the authentication server and, at the same time, authorization policies for the corresponding modules of the user terminal are modified according to authorization policies (for example, authorization policies for the VoIP client module, the IPSec-based VPN client module and the dynamically controlled personal firewall module) that are set in the authentication server and the security management server for each user.
  • the corresponding modules of the user terminal operate according to the modified authorization policies.
  • the security management server can previously set the authorization policies for the VoIP client module, the authorization policies for the IPSec-based VPN client module, and the security policies for the dynamically controlled personal firewall module that will be applied for respective users.
  • the authentication server receives authorization policies, which will be applied to a corresponding user, from the security management server, retransmits the authorization policies to the user terminal and allows corresponding modules to be modified. Finally, the user terminal operates according to the authorization policies set in the security management server.
  • a switch or an access point of a network does not support dynamic VLAN or other authorization policies, authentication and authorization for a user terminal that has gained access to a network can be performed.
  • a network system does not support VLAN, Routing and Access Control List (ACL)
  • ACL Routing and Access Control List
  • traffic blocking and firewall rule set can be dynamically applied on a user basis. Therefore, according to the present invention, practical authentication and authorization on a network are made possible.
  • FIG. 5 is a configuration diagram showing the entire integrated network management system according to a second embodiment of the present invention.
  • the system according to the present embodiment includes an authentication server 500, a security management server 510, a network end terminal 520 and a user terminal 530.
  • An access program 540 for executing functions of user authentication request and network access is installed in the user terminal 530.
  • the access program 540 includes a software management module 550 and an authentication supplicant module 556.
  • the end terminal 520 serving as an authenticator is the same as that of the first embodiment. Accordingly, descriptions thereof are omitted here.
  • the authentication server 500 operates in conjunction with the security management server 510, and performs a user authentication procedure at the request of the authenticator.
  • the security management server 510 according to the present embodiment has a database that stores lists of particular software set for respective users and registration information about respective pieces of software.
  • the security management server also operates in conjunction with management servers 560, 562 and 564 managing respective pieces of software registered in the lists, stores and manages the newest registration information about corresponding software in the database, and transmits the corresponding information to the authentication server 500 at the request of the authentication server.
  • Software managed according to the present embodiment can include virus vaccine programs, 0/S patch programs, other security-related programs and the like.
  • Servers for managing and operating these programs are the vaccine server 560, the O/S patch server 562, the PC security server 564 and the like.
  • the type of software managed in the security management server can vary according to the system administrator or the requirements of the system.
  • FIG. 6 the operational sequence of the authentication supplicant module 356 of the access program according to the present embodiment is described below.
  • the authentication supplicant module gains access to the authenticator, transmits basic authentication information (for example, an ID and a PW) , which is input by the user, to the authenticator, makes a request for user authentication, requests registration information about particular software, which is installed in the user terminal, from the program management module, and transmits information, which is received from the program management -module in response to the request, to the authenticator at step 600.
  • the authenticator transmits the basic user authentication information and registration information about specific software to the authentication server and makes a request for user authentication at step 610. Meanwhile, the authentication server performs a user authentication procedure using the received basic user authentication information at steps 620 and 630.
  • the authentication server requests registration information about specific software from the security management server, receives the registration information from the security management server, and compares the registration information received from the security management server with the registration information received from the user terminal. If the registration information received from the user terminal and the registration information received from the security management server are identical to each other, the authentication server transmits an authentication success message to the user terminal so that the user terminal is granted the privilege to gain access to the network at step 640. Meanwhile, if the registration information received from the user terminal and the registration information received from the security management server are not identical to each other, the authentication server permits the user terminal to gain access to the management server through appropriate software, and allows the user terminal to install or update corresponding software from the management server at step 650.
  • FIG. 7 is a configuration diagram showing a complete integrated network management system according to a third embodiment of the present invention.
  • the system according to the present embodiment includes an authentication server 700, a security management server 710, a network end terminal 720 and a user terminal.
  • An access program 740 for performing functions of user authentication request and network access is installed in the user terminal, and the access program 740 includes a VoIP client module 750, a VPN client module 752, a personal firewall module 754, an authentication supplicant module 756, a security management module 758 and a software management module 759.
  • the operation and functions of the components constituting the system according to the present embodiment are the same as those of the first and second embodiments. Redundant descriptions thereof are omitted here.
  • the component elements such as the types of software set in the security management server, basic user authentication information and the types of modules included in the access program, may be modified in various ways in order to improve the design or efficiency of the system.
  • differences relating to the modifications and the applications fall within the scope of the present invention defined in the accompanying clams.
  • the present invention modifies authorization policies, which will be applied to VoIP client modules, VPN client modules and personal firewall modules installed in user terminals, while performing an authentication procedure for allowing users to gain access to a network, so that authentication and authorization for user terminals that try to gain access to the network can be performed for respective users in various ways, with the result that it is possible to dynamically limit network access privileges for respective users regardless of the infrastructure of a network.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Multimedia (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to an integrated network management system. The integrated network management system includes a user terminal having an access program; a security management server having at least one of authorization policies, which may be applied to a Voice Over Internet Protocol (VoIP) client module, a Virtual Private Network (VPN) client module and a personal firewall module, for each registered user; and an authentication server for authenticating a user and a user terminal, and transmitting authorization policies to the user terminal while operating in conjunction with the security management server. The integrated network management system according to the present invention authenticates a user who tries to gain access to a network, and at the same time, modifies authorization policies, which will be applied to VoIP client modules, VPN client modules and personal firewall modules installed in user terminals, according to authorization policies set in the authentication server for respective users, or dynamically limits network user access privileges according to the status of specific software installed in the user terminals .

Description

[DESCRIPTION]
[invention Title] NETWORK INTEGRATED MANAGEMENT SYSTEM
[Technical Field] The present invention relates to an integrated network management system that performs 802.Ix protocol- based authentication and security on a network and, more particularly, to an integrated network management system, which can authenticate users who try to gain access to the network, and modify authorization policies, which will be applied to Voice Over Internet Protocol client modules, Virtual Private Network client modules and personal firewall modules installed in user terminals, as authorization policies set in an authentication server for respective users, or dynamically control the network access privileges of users according to the status of particular software installed in user terminals.
[Background Art] FIG. 1 is a schematic diagram illustrating an authentication system on a wired/wireless network. FIG. 2 is a view illustrating an authentication process sequence in the authentication system of FIG. 1. Referring to FIGS. 1 and 2, currently, the IEEE 802.Ix standard specification defines three types of entities, that is, a supplicant 100, an authenticator 110 and an authentication server 120. The supplicant is an entity that provides the authenticator with a user's authentication information and requests user authentication, an example of which is a wired/wireless terminal that tries to gain access to the network. Access by the supplicant to the network is controlled by the authenticator, and the supplicant and the authenticator are referred to as Port Authentication Entities (PAE) . When the supplicant requests authentication from the authenticator, the initial port status of the authenticator is set to an uncontrolled port status. At this time, the supplicant and the authenticator can communicate with each other only through the Extensible Authentication Protocol (EAP) . That is, when authentication information and an authentication request are transferred from the supplicant to the authenticator, EAP Over LAN (EAPOL) or EAP Over Wireless (EAPOW) is used as the protocol. Meanwhile, the authenticator transmits the authentication information and the authentication request, which are received from the supplicant, to the authentication server. If the authentication through the authentication server is successful, the authenticator transfers an authentication success message to the supplicant and switches the port of the authenticator to a controlled port status. An example of the authenticator may be one of an access point, a router and a switch. At this time, the authenticator terminates only link layer authentication exchange, does not maintain user information, and transmits all requests, which are received from the supplicant, to the authentication server for processing. Meanwhile, authentication exchange is logically carried out between the supplicant and the authentication server. The authenticator serves only as a bridge. The authentication server is an entity that receives a request for supplicant authentication from the authenticator and authenticates the supplicant. The authentication server stores and manages user authentication information in its internal database, or receives user authentication information through communication with an external entity, and then authenticates users. At this time, although a protocol used between the authentication server and the authenticator is not defined in IEEE 802.Ix, it is recommended that the protocol used in a typical Authentication, Authorization and Accounting (AAA) server be used. Accordingly, the Remote Authentication Dial-In User Service (RADIUS) protocol became a de facto standard in the industry. In the case where communication between the authenticator and the authentication server is performed using the RADIUS protocol, the control of the network access privileges of users can be implemented using the determination of authentication through the internal authentication algorithm of the authentication server, RADIUS attributes transferable through an authentication success message, and Vendor Specific Attributes (VSAs) . As described above, the prior art 802.Ix supplicant is mainly composed of an EAPOL-based packet processor and a PAE state machine. Recently, a supplicant program installed in a user terminal has wireless network management functions, in addition to the above-described functions. Furthermore, the applicant of the present invention proposes a new integrated network management system that can integrally perform a new type of security, user authentication and privilege management on the basis of the conventional 802.Ix protocol.
[Disclosure] [Technical Problem] An object of the present invention is to provide an integrated network management system that can integrally perform security, user authentication and privilege management on a network on the basis of the 802.Ix protocol. Another object of the present invention is to provide an integrated network management system that can authenticate user terminals that try to gain access to a network and, at the same time, modify authorization policies, which will be applied to Voice over Internet Protocol (VoIP) client modules, Virtual Private Network (VPN) client modules and personal firewall modules installed in the user terminals, as authorization policies set in an authentication server for respective users. Still another object of the present invention is to provide an integrated network management system that can authenticate user terminals that try to gain access to a network and, at the same time, dynamically control the network access privileges of users according to the status of particular software installed in the user terminals.
[Technical Solution] In order to accomplish the above objects, the present invention provides an integrated network management system, including: a user terminal having a predetermined access program, the terminal trying to gain access to a network using the access program; a security management server having at least one of authorization policies, which may be applied to a Voice Over Internet Protocol (VoIP) client module, a Virtual Private Network (VPN) client module and a personal firewall module, for each registered user; and an authentication server for authenticating a user and a user terminal trying to gain access to the network for each user, and transmitting authorization policies, which will be applied to a successfully authenticated user terminal, to the user terminal while operating in conjunction with the security management server; wherein the access program of the user terminal comprises at least one of the VoIP client module, the VPN client module and the personal firewall module; and wherein the access program comprises: an authentication supplicant module for gaining access to an end terminal of a network, transmitting basic user authentication information to the end terminal, and making a request for user authentication, and a security management module for receiving authorization policies, which will be applied to the VoIP client module, the VPN client module and the personal firewall module, from the authentication server, and modifying authorization policies for corresponding modules into the authorization policies received from the authentication server, when the authentication is performed by the authentication supplicant module. Preferably, the security management server causes an administrator to previously register the authorization policies for the VoIP client module, the VPN client module and the personal firewall module that will be applied to each user. Preferably, in the integrated network management system having the above-described features: the security management server stores and updates registration information about particular software while operating in conjunction with an external software management server; the access program of the user terminal further includes a software management module for storing registration information about particular software installed in the user terminal, and the authentication supplicant module transmits the basic authentication information and the registration information stored in the software management module to the authentication server when the authentication is requested; and the authentication server authenticates the user using the basic user authentication information, and transmits an authentication success message only when the registration information about the particular software, which is received from the user terminal, is identical to corresponding information of the security management server even if the authentication is successful. A computer readable recording medium according to another aspect of the present invention stores an access program installed in a predetermined terminal and configured to allow a user to gain access to a network, wherein: the access program comprises at least one of a VoIP client module, a VPN client module and a personal firewall module; and the access program comprises: an authentication supplicant module for transmitting basic user authentication information to an authentication server and making a request for user authentication, and a security management module for modifying authorization policies for corresponding modules using authorization policies for at least one of the VoIP client module, the VPN client module and the personal firewall module, which are received from the authentication server, when the authentication is performed by the authentication supplicant module. Meanwhile, in the recording medium having the above- described features, the access program further includes a software management module for storing and managing registration information about particular software installed in the user terminal, the authentication supplicant module transmits the registration information about particular software, which is installed in the software management module, to the authentication server, along with the basic authentication information, when making a request for user authentication, and the software management module installs or updates corresponding software when installation and update of particular software is requested by the authentication server. In accordance with the present invention, new concept- based security and user authentication, and user privilege management on a network can be performed for respective users on the basis of the 802.Ix protocol.
[Advantageous Effects] The present invention modifies authorization policies, which will be applied to VoIP client modules, VPN client modules and personal firewall modules installed in user terminals, while performing an authentication procedure for allowing users to gain access to a network, so that the authentication and authorization of user terminals that try to gain access to the network can be performed for respective users in various ways, with the result that it is possible to dynamically limit network access privileges for respective users regardless of the infrastructure of a network. Furthermore, the present invention determines whether virus vaccine programs, Operating System (O/S) patch programs and other specific software have been installed in user terminals or whether programs installed in the user terminals have been updated, at the time of user authentication, and can limit the network access privileges of the user terminals in various ways according to the determination results. Furthermore, the conventional 802.1x-based supplicant is simply composed of an EAPoL Packet Processor and a supplicant PAE state machine, whereas the integrated network management system of the present invention can additionally perform functions of user authentication, network management, user privilege management and security.
[Description of Drawings] FIG. 1 is a configuration diagram illustrating a typical 802.1x-based authentication system on a network; FIG. 2 is a flowchart showing the operational sequence of the authentication system of FIG. 1; FIG. 3 is a configuration diagram showing a complete integrated network management system according to a first embodiment of the present invention; FIG. 4 is a flowchart showing the operational sequence of the system of FIG. 3; FIG. 5 is a configuration diagram showing a complete integrated network management system according to a second embodiment of the present invention; FIG. 6 is a flowchart showing the operational sequence of the system of FIG. 5; and FIG. 7 is a configuration diagram showing a complete integrated network management system according to a third embodiment of the present invention.
[Best Mode] The construction and operation of a wireless integrated network management system according to the present invention are described with reference to the accompanying drawings below. First Embodiment FIG. 3 is a configuration diagram showing a complete integrated network management system according to a first embodiment of the present invention. The construction and operation of the wireless integrated network management system according to the present embodiment are described below with reference to FIGS. 3 and 4. Referring to FIG. 3, the system according to the present embodiment includes an authentication server 300, a security management server 310, a network end terminal 320 and a user terminal 330. In this case, the network end terminal 320 is a terminal located at the end of the network, and it may be an Access Point (AP) , a switch, a router or the like. The user terminal 330 can gain access to the authentication server or the network through the end terminal. In the system of the present embodiment to which the 802.Ix protocol is applied, an access program 340 for performing functions of user authentication request and network access, is installed in the user terminal 330 that serves as a supplicant. Furthermore, the access program 340 according to the present embodiment includes a VoIP client module 350, a VPN client module 352, a personal firewall module 354, an authentication supplicant module 356 and a security management module 358. In this case, the basic construction and functions of the VoIP client module 350, the VPN client module 352 and the personal firewall module 354 are the same as those of the conventional ones. However, they have additional construction and functions for receiving user-based authorization policies, which will be applied to respective client modules, from an external authentication server through an interface with the authentication supplicant module 356 and the security management module 358, and dynamically applying the received authorization policies. The construction and operation of the authentication supplicant module 356 and the security management module 358 are described later. In this case, the term "authorization policy" refers to conditions or references that are set to determine whether to permit access by users, who request access to a network or specific equipment, to the network or corresponding equipment. The authorization policy includes information corresponding to conditions that are previously set for respective users . Furthermore, the end terminal 320 serving as an authenticator transmits a user authentication request signal to the authentication server at the request of the access program of the user terminal 330, or transmits a signal, which is received from the authentication server, to the user terminal. Meanwhile, the authentication server 300 operates in conjunction with the security management server 310 and performs a user authentication procedure at the request of the authenticator. The security management server 310 has at least one of an authorization policy for a VoIP client module, an authorization policy for an IPSec-based VPN client module and a security policy for a dynamically controlled personal firewall module, which will be applied for each registered user. Meanwhile, the authentication server 300 and the security management server 310 are servers for performing logically different functions, but can be implemented using the same physical system. The operational sequence of the authentication supplicant module 356 of the access program 340 is described with reference to FIG. 4 below. The authentication supplicant module gains access to the authenticator, transmits basic user authentication information, which is received from the user, to the authenticator, and makes a request for user authentication, at step 400. In this case, the basic authentication information includes the identification (ID) information and password of the user. The contents of the basic authentication information may vary according to the network or communication protocol. The authenticator transmits the basic authentication information to the authentication server and makes a request for user authentication at step 410. The authenticator then receives an authentication result message from the authentication server and transfers the message to the user terminal at step 420. Meanwhile, if the user authentication is -successful, the authentication server requests an authorization policy for a VoIP client module, an authorization policy for an IPSec-based VPN client module and a security policy for a dynamically controlled personal firewall module, which will be applied to a corresponding user, from the security management server at step 430. The security management server transmits corresponding information to the authentication server at the request of the authentication server at step 440. The authentication server transfers the received information to the user terminal via the authenticator at step 450. Meanwhile, the security management module 358 modifies authorization policies for corresponding modules within the user terminal, that is, the VoIP client module, the VPN module and the personal firewall module, using the information received from the authentication server through the authentication supplicant module at step 460. In accordance with the wireless integrated network management system according to the present invention, the user terminal who tries to gain access to the network is authenticated by the authentication server and, at the same time, authorization policies for the corresponding modules of the user terminal are modified according to authorization policies (for example, authorization policies for the VoIP client module, the IPSec-based VPN client module and the dynamically controlled personal firewall module) that are set in the authentication server and the security management server for each user. The corresponding modules of the user terminal operate according to the modified authorization policies. As described above, the security management server can previously set the authorization policies for the VoIP client module, the authorization policies for the IPSec-based VPN client module, and the security policies for the dynamically controlled personal firewall module that will be applied for respective users. If the user authentication is successful, the authentication server receives authorization policies, which will be applied to a corresponding user, from the security management server, retransmits the authorization policies to the user terminal and allows corresponding modules to be modified. Finally, the user terminal operates according to the authorization policies set in the security management server. As a result, although a switch or an access point of a network does not support dynamic VLAN or other authorization policies, authentication and authorization for a user terminal that has gained access to a network can be performed. Furthermore, according to the present invention, although a network system does not support VLAN, Routing and Access Control List (ACL) , traffic blocking and firewall rule set can be dynamically applied on a user basis. Therefore, according to the present invention, practical authentication and authorization on a network are made possible.
[Mode for Invention] Second Embodiment A wireless integrated network management system according to a second embodiment of the present invention is described in detail below. FIG. 5 is a configuration diagram showing the entire integrated network management system according to a second embodiment of the present invention. Referring to FIG. 5, the system according to the present embodiment includes an authentication server 500, a security management server 510, a network end terminal 520 and a user terminal 530. An access program 540 for executing functions of user authentication request and network access is installed in the user terminal 530. The access program 540 includes a software management module 550 and an authentication supplicant module 556. Furthermore, the end terminal 520 serving as an authenticator is the same as that of the first embodiment. Accordingly, descriptions thereof are omitted here. Meanwhile, the authentication server 500 operates in conjunction with the security management server 510, and performs a user authentication procedure at the request of the authenticator. The security management server 510 according to the present embodiment has a database that stores lists of particular software set for respective users and registration information about respective pieces of software. The security management server also operates in conjunction with management servers 560, 562 and 564 managing respective pieces of software registered in the lists, stores and manages the newest registration information about corresponding software in the database, and transmits the corresponding information to the authentication server 500 at the request of the authentication server. Software managed according to the present embodiment can include virus vaccine programs, 0/S patch programs, other security-related programs and the like. Servers for managing and operating these programs are the vaccine server 560, the O/S patch server 562, the PC security server 564 and the like. However, it is apparent that the type of software managed in the security management server can vary according to the system administrator or the requirements of the system. With reference to FIG. 6, the operational sequence of the authentication supplicant module 356 of the access program according to the present embodiment is described below. The authentication supplicant module gains access to the authenticator, transmits basic authentication information (for example, an ID and a PW) , which is input by the user, to the authenticator, makes a request for user authentication, requests registration information about particular software, which is installed in the user terminal, from the program management module, and transmits information, which is received from the program management -module in response to the request, to the authenticator at step 600. The authenticator transmits the basic user authentication information and registration information about specific software to the authentication server and makes a request for user authentication at step 610. Meanwhile, the authentication server performs a user authentication procedure using the received basic user authentication information at steps 620 and 630. If the user authentication is successful, the authentication server requests registration information about specific software from the security management server, receives the registration information from the security management server, and compares the registration information received from the security management server with the registration information received from the user terminal. If the registration information received from the user terminal and the registration information received from the security management server are identical to each other, the authentication server transmits an authentication success message to the user terminal so that the user terminal is granted the privilege to gain access to the network at step 640. Meanwhile, if the registration information received from the user terminal and the registration information received from the security management server are not identical to each other, the authentication server permits the user terminal to gain access to the management server through appropriate software, and allows the user terminal to install or update corresponding software from the management server at step 650. In accordance with the present embodiment, even if the user inputs correct authentication information, the status of the user terminal (for example, whether anti-virus software has been installed and updated, the O/S has been patched, service packs have been installed or specific software has been installed) is determined and the network access privilege of the user terminal can be limited according to the status of the terminal. Third Embodiment A wireless integrated network management system according to a third embodiment of the present invention is described below. FIG. 7 is a configuration diagram showing a complete integrated network management system according to a third embodiment of the present invention. Referring to FIG. 7, the system according to the present embodiment includes an authentication server 700, a security management server 710, a network end terminal 720 and a user terminal. An access program 740 for performing functions of user authentication request and network access is installed in the user terminal, and the access program 740 includes a VoIP client module 750, a VPN client module 752, a personal firewall module 754, an authentication supplicant module 756, a security management module 758 and a software management module 759. The operation and functions of the components constituting the system according to the present embodiment are the same as those of the first and second embodiments. Redundant descriptions thereof are omitted here. Although the preferred embodiments of the present invention have been described, the embodiments are illustrative and do not limit the present invention, and those skilled in the art can appreciate that various modifications and applications are possible without departing from the scope and spirit of the invention. For example, in the embodiments of the present invention, the component elements, such as the types of software set in the security management server, basic user authentication information and the types of modules included in the access program, may be modified in various ways in order to improve the design or efficiency of the system. Furthermore, it must be understood that differences relating to the modifications and the applications fall within the scope of the present invention defined in the accompanying clams.
[industrial Applicability] The present invention modifies authorization policies, which will be applied to VoIP client modules, VPN client modules and personal firewall modules installed in user terminals, while performing an authentication procedure for allowing users to gain access to a network, so that authentication and authorization for user terminals that try to gain access to the network can be performed for respective users in various ways, with the result that it is possible to dynamically limit network access privileges for respective users regardless of the infrastructure of a network.

Claims

[CLAIMS] [Claim l] An integrated network management system, comprising: a user terminal having an access program, the terminal trying to gain access to a network using the access program; a security management server having at least one of authorization policies that will be applied to a Voice Over Internet Protocol (VoIP) client module, a Virtual Private Network (VPN) client module and a personal firewall module for each registered user; and an authentication server for authenticating a user and a user terminal trying to gain access to the network for each user, and transmitting authorization policies, which will be applied to a successfully authenticated user terminal, to the user terminal while operating in conjunction with the security management server; wherein the access program of the user terminal comprises at least one of the VoIP client module, the VPN client module and the personal firewall module; and wherein the access program comprises: an authentication supplicant module for gaining access to an end terminal of a network, transmitting basic user authentication information to the end terminal, and making a request for user authentication, and a security management module for receiving authorization policies, which will be applied to the VoIP client module, the VPN client module and the personal firewall module, from the authentication server, and modifying authorization policies for corresponding modules into the authorization policies received from the authentication server, when the authentication is performed by the authentication supplicant module.
[Claim 2] The integrated network management system according to claim 1, wherein the security management server causes an administrator to previously register the authorization policies for the VoIP client module, the VPN client module and the personal firewall module, which will be applied to each user.
ΪClaim 3] The integrated network management system according to claim 1, wherein the end terminal of the network is one of an access point, a switch and a router to which the user terminal gains access first so as to gain access to the network.
[Claim 4] The integrated network management system according to claim 1, wherein: the security management server stores and updates registration information about particular software while operating in conjunction with an external software management server; the access program of the user terminal further includes a software management module for storing registration information about particular software installed in the user terminal, and the authentication supplicant module transmits the basic authentication information and the registration information stored in the software management module to the authentication server when the authentication is requested; and the authentication server authenticates the user using the basic user authentication information, and transmits an authentication success message only when the registration information about the particular software, which is received from the user terminal, is identical to corresponding information of the security management server even if the authentication is successful.
[Claim 5] A computer readable recording medium storing an access program installed in a predetermined terminal and configured to allow a user to gain access to a network, wherein: the access program comprises at least one of a VoIP client module, a VPN client module and a personal firewall module; and the access program comprises: an authentication supplicant module for transmitting basic user authentication information to an authentication server and making a request for user authentication, and a security management module for modifying authorization policies for corresponding modules using authorization policies for at least one of the VoIP client module, the VPN client module and the personal firewall module, which are received from the authentication server, when the authentication is performed by the authentication supplicant module.
[Claim 6] The computer readable recording medium according to claim 5, wherein: the access program further includes a software management module for storing and managing registration information about particular software installed in the user terminal; the authentication supplicant module transmits the registration information about particular software, which is installed in the software management module, to the authentication server, along with the basic authentication information, when making a request for user authentication; and the software management module installs or updates corresponding software when installation and update of particular software is requested by the authentication server.
PCT/KR2005/001959 2004-06-24 2005-06-23 Network integrated management system WO2006001647A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR1020040047424A KR20050122343A (en) 2004-06-24 2004-06-24 Network integrated management system
KR10-2004-0047424 2004-06-24

Publications (1)

Publication Number Publication Date
WO2006001647A1 true WO2006001647A1 (en) 2006-01-05

Family

ID=35782024

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2005/001959 WO2006001647A1 (en) 2004-06-24 2005-06-23 Network integrated management system

Country Status (2)

Country Link
KR (1) KR20050122343A (en)
WO (1) WO2006001647A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008045618A1 (en) * 2006-10-06 2008-04-17 Sbc Knowledge Ventures, L.P. Methods and apparatus to install voice over internet protocol (voip) devices
WO2008070330A2 (en) * 2006-10-26 2008-06-12 Cisco Technology, Inc. Apparatus and methods for authenticating voice and data devices on the same port
CN102387052A (en) * 2010-09-06 2012-03-21 中商商业发展规划院有限公司 Integral system of rural circulation management service platform and method thereof
CN110011834A (en) * 2019-03-11 2019-07-12 烽火通信科技股份有限公司 A kind of control pattern of fusion telecommunications network management method and system

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100863461B1 (en) * 2006-12-11 2008-10-16 소프트캠프(주) Approval system in network for the data preservation
KR100914676B1 (en) * 2007-09-04 2009-09-02 유넷시스템주식회사 A NETWORK SECURITY SYSTEM AND A NETWORK SECURITY METHOD BASED ON IEEE 802.1x
KR101432721B1 (en) * 2013-08-21 2014-08-21 주식회사 엑스엔시스템즈 Computing apparatus providing virtual environment per purpose of use and method thereof
KR101670496B1 (en) 2014-08-27 2016-10-28 주식회사 파수닷컴 Data management method, Computer program for the same, Recording medium storing computer program for the same, and User Client for the same
CN114362983A (en) * 2020-10-12 2022-04-15 中国移动通信集团江西有限公司 Firewall policy management method and device, computer equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004001985A2 (en) * 2002-06-20 2003-12-31 Qualcomm, Incorporated Authentication in a communication system
US20040078597A1 (en) * 2002-10-21 2004-04-22 Microsoft Corporation Automatic client authentication for a wireless network protected by PEAP, EAP-TLS, or other extensible authentication protocols
US20040162105A1 (en) * 2003-02-14 2004-08-19 Reddy Ramgopal (Paul) K. Enhanced general packet radio service (GPRS) mobility management
WO2004077742A1 (en) * 2003-02-28 2004-09-10 Siemens Aktiengesellschaft Method for transmitting data in a wlan network
WO2004077750A1 (en) * 2003-02-26 2004-09-10 Cisco Technology, Inc. Fast re-authentication with dynamic credentials

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004001985A2 (en) * 2002-06-20 2003-12-31 Qualcomm, Incorporated Authentication in a communication system
US20040078597A1 (en) * 2002-10-21 2004-04-22 Microsoft Corporation Automatic client authentication for a wireless network protected by PEAP, EAP-TLS, or other extensible authentication protocols
US20040162105A1 (en) * 2003-02-14 2004-08-19 Reddy Ramgopal (Paul) K. Enhanced general packet radio service (GPRS) mobility management
WO2004077750A1 (en) * 2003-02-26 2004-09-10 Cisco Technology, Inc. Fast re-authentication with dynamic credentials
WO2004077742A1 (en) * 2003-02-28 2004-09-10 Siemens Aktiengesellschaft Method for transmitting data in a wlan network

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008045618A1 (en) * 2006-10-06 2008-04-17 Sbc Knowledge Ventures, L.P. Methods and apparatus to install voice over internet protocol (voip) devices
US9521210B2 (en) 2006-10-06 2016-12-13 At&T Intellectual Property I, L.P. Methods and apparatus to install voice over internet protocol (VoIP) devices
WO2008070330A2 (en) * 2006-10-26 2008-06-12 Cisco Technology, Inc. Apparatus and methods for authenticating voice and data devices on the same port
WO2008070330A3 (en) * 2006-10-26 2009-01-15 Cisco Tech Inc Apparatus and methods for authenticating voice and data devices on the same port
US8104072B2 (en) 2006-10-26 2012-01-24 Cisco Technology, Inc. Apparatus and methods for authenticating voice and data devices on the same port
CN101518023B (en) * 2006-10-26 2013-03-06 思科技术公司 Apparatuses and methods for authenticating voice and data devices on the same port
CN102387052A (en) * 2010-09-06 2012-03-21 中商商业发展规划院有限公司 Integral system of rural circulation management service platform and method thereof
CN102387052B (en) * 2010-09-06 2013-09-25 中商商业发展规划院有限公司 Integral system of rural circulation management service platform and method thereof
CN110011834A (en) * 2019-03-11 2019-07-12 烽火通信科技股份有限公司 A kind of control pattern of fusion telecommunications network management method and system

Also Published As

Publication number Publication date
KR20050122343A (en) 2005-12-29

Similar Documents

Publication Publication Date Title
US7082535B1 (en) System and method of controlling access by a wireless client to a network that utilizes a challenge/handshake authentication protocol
US8555348B2 (en) Hierarchical trust based posture reporting and policy enforcement
US7526792B2 (en) Integration of policy compliance enforcement and device authentication
US10764264B2 (en) Technique for authenticating network users
US7886335B1 (en) Reconciliation of multiple sets of network access control policies
US8375430B2 (en) Roaming secure authenticated network access method and apparatus
US8359464B2 (en) Quarantine method and system
US7194763B2 (en) Method and apparatus for determining authentication capabilities
US7533407B2 (en) System and methods for providing network quarantine
US7788705B2 (en) Fine grained access control for wireless networks
US20050132229A1 (en) Virtual private network based on root-trust module computing platforms
WO2006001647A1 (en) Network integrated management system
US20180198786A1 (en) Associating layer 2 and layer 3 sessions for access control
KR100714367B1 (en) Network security system co-operated with an authentication server and method thereof
US9021253B2 (en) Quarantine method and system
US20230006988A1 (en) Method for selectively executing a container, and network arrangement
US20070226782A1 (en) System for updating software in a terminal when access of the terminal is authenticated
KR20060044494A (en) Network management system and network management server of co-operating with authentication server
Cisco Switch Access: Using Authentication, Authorization, and Accounting
Cisco Configuring Switch Access Using AAA
Cisco Switch Access: Using Authentication, Authorization, and Accounting
Cisco Switch Access: Using Authentication, Authorization, and Accounting
Cisco Configuring Switch Access Using AAA
Cisco Configuring Switch Access Using AAA
Cisco Configuring Switch Access Using AAA

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KM KP KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NG NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DPEN Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed from 20040101)
NENP Non-entry into the national phase

Ref country code: DE

WWW Wipo information: withdrawn in national office

Country of ref document: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 69(1) EPC OPF 230407

122 Ep: pct application non-entry in european phase

Ref document number: 05765835

Country of ref document: EP

Kind code of ref document: A1