The present invention relates to telecommunication networks, and, more particularly, to a remote access client, associated network system, and related methodology for providing enterprise management of client-side applications and enterprise network access policies to ensure policy compliant access of enterprise resources.
Enterprise networks (i.e., private computer data networks) are generally designed to provide network access to designated individuals of an organization, such as employees of a commercial entity, for sharing computer-based resources. For example, a typical enterprise network may use high speed, dedicated lines that carry voice, facsimile, video and data traffic between facility locations of the entity. As such, the dedicated paths are point-to-point connections, thus, a mesh topology is formed to interconnect multiple facilities. Yet, in order for a remote office or individual user to connect to the enterprise network, switched services over the PSTN (public switched telephone network), such as ISDN (integrated services digital network) or frame relay are often utilized. For individual mobile employees, such a modem or “dial-up” connection may be the best solution for occasional connection to the enterprise network.
In accessing the enterprise network from a remote location not having a dedicated connection, a virtual private network (VPN) function is typically implemented. A virtual private network is a pseudo-private data network that utilizes a readily available public data network, such as the Internet, instead of dedicated lines to carry enterprise network traffic. An Internet-based virtual private network (VPN) link is thus “virtual” because although the Internet is freely accessible to the public, a VPN client application enables the Internet to function as a dedicated private network communication link. In order to accomplish this, the data traffic for the organization is exchanged by way of the VPN client protocol. The VPN protocol typically configures a “tunnel” connection by way of a protocol such as L2TP (layer two tunneling protocol) which serves to encapsulate and encrypt data exchanged between the enterprise and remotely located data terminal so that enterprise data is not easily intercepted by users of the Internet (i.e., from outside the tunnel).
Naturally, commercial organizations are increasingly employing VPN-based remote access solutions as, the availability of Internet access and robust VPN technology offers the ability to use public networks that make up the Internet as a flexible, cost-effective remote access solution. Thus, VPN implementations are favored by network architects to partially replace existing private data network infrastructure, supplement a private data network by helping relieve the load on the private data network, handle new software applications without disturbing the existing private data network or permit new user locations to be easily added to the network.
As Internet Service Providers (ISP) employ extensive networks to facilitate connectivity to the Internet over a broad geographical area, the most commonly utilized communication path for enterprise VPN technology is the Internet. Namely, a network access server (NAS) such as provided by an Internet Service Provider is contacted via a remote access client for connecting to a POP (point of presence) or “node” establishing enterprise network connectivity. In this way, an enterprise may negotiate an agreement with a single provider enabling its user base to connect to that network in order to supply the transport portion of the enterprise VPN. However, an enterprise VPN solution with only one network providing data transport services may be limited in coverage and diversity. For instance, should an individual POP or the network itself go down, the end user may have no way to connect to the enterprise. The ISP may also be slow to expand their network to provide coverage that is critical to a particular enterprise network having users in a poorly serviced region of the ISP. Thus, an enterprise network may try to overcome these limitations by adding redundant providers to the solution to complement a primary network partner. Unfortunately, this introduces significant complexity, because each network will require separate authentication, billing and customer service relationships.
Thus, as an alternative to single-carrier implementations, multiple ISPs are often packaged as roaming solutions (i.e., a “network of networks”). This is accomplished by forwarding authentication and billing information to enable a single customer to interface to many different transport providers. Yet, depending on the design of the network, companies that aggregate ISPs have had difficulty ensuring there is no single point of failure in the authentication chain that would bring the entire solution down. Also, the ability to cost effectively monitor and manage the various networks, account for individual usage, determine billing responsibilities, is hampered. Most importantly, these providers are typically unfamiliar with the security, information and management needs unique to the enterprise network market.
Indeed, remote access of enterprise resources through remote access client in conjunction with a VPN client presents significant security concerns to enterprise network architects, as enterprise policies cannot be readily coordinated prior to, or during connection (e.g., tunnel construction). In other words, while the data communicated across the VPN link is encapsulated and encrypted, the data terminal of the remote user may itself be vulnerable to intrusive use (i.e., hacking). For example, unless a user is employing adequate firewall protection, an intruder may gain access to the data terminal and effectively circumvent the security afforded by the VPN tunnel.
As such, a remote access client, associated system, and related methodology are desired which are devoid of the aforementioned limitations, capable of integrally processing dial-up connections across a plurality of service providers in a simplified manner, while simultaneously ensuring VPN based policy compliant access of enterprise resources.