1. Field of the Invention
This invention pertains generally to network access servers. More particularly, the invention is a system and method for providing secure and efficient configuration of port devices.
2. The Prior Art
Server modems for providing telecommunication services are known in the art. For example, systems having server modems connected to a network access server are used to provide customers with access to a particular network (or group of networks) connected to the network access server. A customer typically connects to the system via a conventional telephone connection. The server modems provide modem services allowing the user to communicate with the network access server via the telephone connection. The network access server provides services which allow the user to access the network via the modem services provided by the corresponding server modem.
Current methods for configuring server modems involve issuing xe2x80x9cATxe2x80x9d command strings (also known as the Hayes Standard AT Command Set) from the network access server to the corresponding server modem. AT modem command strings provide various instructions to the server modem including configuration commands such as the baud rate for communication and whether error-correction is enabled, for example. In operation, modem command strings are stored on the network access server and are completely sent to the modem at the beginning and/or the end of each customer session. The modem command strings are received and interpreted by the server modem which then configures modem services according to the configuration parameters defined in the AT modem command string.
According to the server modem configuration method described above, initialization delays result from the transmission and interpretation of the AT command strings. During these initialization delays while the server modem is configured, the modem is temporarily unavailable for the next call to provide the modem services for the customer.
To avoid these initialization delays, some administrators program or otherwise configure the network access servers to use a single modem configuration (i.e., a single AT command string) once during system initialization, rather than issuing a new modem configuration command for each customer session. Alternatively, some administrators do not issue modem configuration commands at all, but rather simply use the factory default settings of the modem. Under either arrangement, the initialization delays associated with an AT command string configuration for each customer session can be avoided.
However, there are several disadvantages associated with not providing a modem command string for each customer session. First, by providing a single configuration setting or by using the modem default configuration setting, the network access server is unable to provide specific settings associated with the particular customer accessing the system. Instead, a single or static configuration setting is used, and thus the session is not tailored to the customer""s specific capabilities or needs. Second, administrators that do not use modem configuration commands for each customer session are vulnerable to security attacks and/or are exposed to unintentional configuration corruption. This vulnerability arises because standard AT commands can be used to corrupt the server modem configuration by a user xe2x80x9creverse telnettingxe2x80x9d to a particular port on the network access server as is known in the art. In this way, all users dialing into or out of the xe2x80x9ccorruptedxe2x80x9d modem could then experience problems.
Network access server may also be coupled to universal port devices to provide additional port services to customers. As is known in the art, universal port devices may provide one or more port services including, for example, V.110, modem and FAX services, among others. Similar to traditional systems having a network access server connected to server modems as described above, the configuration settings for configuring universal port devices are stored in the network access server and are communicated to the universal port for configuration therein at the appropriate time, normally during the start and/or end of a customer session. Initialization delays associated with configuring universal ports result in the unavailability of the universal port for the next user as in the case of server modems described above. Additionally, the vulnerability to attack and/or unintentional configuration corruption also exists with universal ports where the configuration commands are stored and transmitted from the network access server as is known in the art. This vulnerability generally arises because the user is able to provide xe2x80x9cadministrationxe2x80x9d level configuration where configuration commands are issued from the network access server.
Accordingly, there is a need for a system and method which provides for secure and efficient modem and universal port configuration. The present invention satisfies these needs, as well as others, and generally overcomes the deficiencies found in the background art.
An object of the invention is to provide a system and method for configuring universal port devices which overcome the deficiencies of the prior art.
Another object of the invention is to provide a system and method for secure and efficient configuration of modems and universal port devices.
Further objects and advantages of the invention will be brought out in the following portions of the specification, wherein the detailed description is for the purpose of fully disclosing the preferred embodiment of the invention without placing limitations thereon.
The present invention is a system and method for providing secure and efficient configuration of port devices including server modems and universal port devices, for example. The invention further relates to machine readable media on which are stored embodiments of the present invention. It is contemplated that any media suitable for retrieving instructions is within the scope of the present invention. By way of example, such media may take the form of magnetic, optical, or semiconductor media. The invention also relates to data structures that contain embodiments of the present invention, and to the transmission of data structures containing embodiments of the present invention.
The system identifies a user of the system and associates the identified user with a particular account group. Each account group is associated with one of a plurality of service templates maintained within each port device or group of port devices. Messages via a control or administration path are used to select the service template associated with the user. The selected service template is then used to configure the port device according the configuration parameters defined for the template according to the user""s account group. A separate data path is provided for communicating port data and providing port services once the port has been configured according to the service template. By separating the control path for administrative configuration from the data path for port services, the security of the configuration of the port devices is thereby increased. Furthermore, since the configuration data for the port device is maintained locally within the service templates in the port devices, the normal initialization delays associated with port device configuration are thereby reduced. Certain xe2x80x9cnon-restrictedxe2x80x9d configuration commands such as xe2x80x9cATxe2x80x9d commands can be send via the data path. The control path can be used for all configuration commands, restricted or non-restricted. Restricted configuration commands, for example, may be limited to commands related to the service templates.
According to a first embodiment, the system of the present invention comprises a network access server (NAS) having an operating system executing therein; a universal port controller (UPC) operatively coupled to the NAS via a first data path carrying data information and a second control path carrying xe2x80x9crestrictedxe2x80x9d administrative control information; a service processing element (SPE) executing within the UPC to provide at least one port service via the data path; and a plurality of service templates, each having universal port configuration information. The service templates reside within said universal port controller and are selectable by the operating system via the control path.
According to another embodiment, the method of the present invention comprises providing a data path between a network access server and a universal port controller; providing a control path between the network access server and the universal port controller; communicating restricted configuration commands via the control path; and communicating user data via the data path.
According to yet another embodiment, the method of the present invention further comprises defining a plurality of service templates, each having port configuration parameters, said service templates residing within said universal port controller; identifying a user accessing said network access server; associating said user with one of said service templates; and configuring port services for said user in said universal port controller according to said service template associated with said user.