This application relates to a public network access server having a user-configurable firewall.
The computer system 100 illustrated in FIG. 1 represents a typical hardware setup for executing software that allows a user to perform tasks such as communicating with other computer users, accessing various computer resources, and viewing, creating, or otherwise manipulating electronic contentxe2x80x94that is, any combination of text, images, movies, music or other sounds, animations, 3D virtual worlds, and links to other objects. The system includes various input/output (I/O) devices (mouse 103, keyboard 105, display 107) and a general purpose computer 100 having a central processor unit (CPU) 121, an I/O unit 117 and a memory 109 that stores data and various programs such as an operating system 111, and one or more application programs 113. The computer system 100 also typically includes some sort of communications card or device 123 (e.g., a modem or network adapter) for exchanging data with a network 127 via a communications link 125 (e.g., a telephone line).
As shown in FIG. 2, a user of a computer system 129 can access a public network 131 (e.g., the Internet) via an access server 133 (such as an Internet service provider or xe2x80x9cISPxe2x80x9d). Among other things, this enables computer system 129 to send and receive data from other computers (not shown in FIG. 2) that are connected to the public network 131 (referred to as xe2x80x9coutsidexe2x80x9d computers). For example, one of the outside computers can act as a host of a web site from which the computer system 129 can view web pages using a xe2x80x9cbrowserxe2x80x9d program (e.g., an Internet browser such as Netscape Communicator version 4.7, which is commercially available from Netscape Communications Corporation of Mountain View, Calif.) running on the computer system 129.
By connecting to a public network 131 such as the Internet, however, the computer system 129 can become vulnerable to attacks from outsiders (sometimes referred to as xe2x80x9chackersxe2x80x9d or xe2x80x9ccrackersxe2x80x9d) who use the public network 131 to attempt to gain unauthorized access to computers connected thereto. After gaining unauthorized access to a computer system 129, such outsiders often view, copy, alter, delete, and/or redistribute data and programs that reside on the computer system 129.
The threat to users who access the Internet using dial-up modem connections (referred to as xe2x80x9cdial-up connectionsxe2x80x9d) over conventional plain old telephone service (POTS) lines typically has been relatively low. A user employing such a dial-up connection typically is assigned a temporary xe2x80x9cIP address.xe2x80x9d An IP (Internet Protocol) address is a worldwide unique identifier that identifies a particular computer or other network device on the Internet. For example, as shown in FIG. 3, a user can access the Internet 141 via a modem 143 connected to a computer 145 by dialing into an access server 147 using a POTS line. The access server 147 includes a terminal server 149 having multiple xe2x80x9cports.xe2x80x9d Several dial-up modems (not shown in FIG. 3) are connected to the ports of the terminal server 149 in order to receive data transmitted by the user""s modem 143. The terminal server 149 is connected to a dial-up host computer 151 (e.g., a computer workstation running a variant of the UNIX operating system). The dial-up host computer 151 is connected to the Internet 141, typically via a high-speed connection 153 (e.g., a T1 connection). The access server 147 and the high-speed connection 153 typically are maintained by an ISP.
A different temporary IP address is typically assigned to the user""s computer 145 each time the user dials into the access server 147. The IP address that is assigned to the user""s computer 145 is temporary since the user typically disconnects the computer 145 from the access server 147 when the user is not accessing the Internet. This allows the ISP to re-use the IP address previously assigned to the user""s computer 145 as the temporary IP address of another computer that subsequently dials into the access server 147.
Because the IP address of the user""s computer 145 may change each time the user dials into the access server 147, it is difficult for an outsider successfully to use hacking techniques that require knowledge of the IP address of the user""s computer. For example, one cannot telnet into a user""s computer 145 without knowing the computer""s IP address.
Recently, high-speed alternatives to conventional dial-up Internet connections have become increasingly popular. These high-speed alternatives include digital subscriber lines (xe2x80x9cDSLxe2x80x9d) and cable modem connections, which typically allow users to use their telephone lines for voice transmissions simultaneously with data connections. As a result, many users of these new high-speed connections do not disconnect their computers from the Internet when they are not actively accessing the Internet. Remaining persistently connected in this manner enables users to avoid the overhead (delay and effort) associated with reconnecting to the Internet that they otherwise would encounter each time they accessed the Internet. As a result, many Internet service providers are assigning fixed (i.e., non-temporary) IP addresses to computers that make use of such high-speed xe2x80x9calways connectedxe2x80x9d Internet connections. However, because the use of permanent IP addresses facilitates certain hacking techniques, the security advantages associated with the use of temporary IP addresses are lost when fixed IP addresses are used.
One way in which enterprises such as businesses and educational institutions have protected their networks and computers (which typically are assigned fixed IP addresses) is to employ a xe2x80x9cfirewall.xe2x80x9d A firewall is a system for controlling access to the enterprise""s network and/or computers (referred to as the xe2x80x9cinternalxe2x80x9d network and computers) by other computers (referred to as xe2x80x9coutsidexe2x80x9d computers) that attempt to access the internal networks and computers through a public network. The purpose of a firewall is to allow network elements to be attached to, and thereby access, a public network without rendering the network elements susceptible to unauthorized access from the public network. A successful firewall allows the network elements (e.g., routers, computers, servers, etc.) to communicate with the public network elements without rendering the network elements susceptible to attack or unauthorized inquiry over the public network. Such firewalls use known techniques such as xe2x80x9cpacket filteringxe2x80x9d and xe2x80x9capplication gatewaysxe2x80x9d for determining which data packets to forward to the inside networks and computers.
Firewalls that are employed to protect networks and computers used in business and educational settings typically implement a security policy that determines how each internal user of the firewall-protected network can access the public network. Typically, these security policies implement a xe2x80x9cone-size-fits-allxe2x80x9d approach in which all users of a certain type are assigned the same access rights to the public network. A one-size-fits-all approach often is desirable in such institutional settings since such an approach is generally simpler to implement, maintain, and audit and such institutions are generally in a position to impose such an approach on users of their networks and computers.
Most Internet service providers, however, traditionally have not employed firewalls to protect their users"" computers from attacks originating from the Internet. Users who access the Internet via dial-up connections typically do not need such security measures due to the security advantages associated with the use of temporary IP addresses. Moreover, most ISPs do not wish to, and/or are not in a position to, impose on their users a one-size-fits-all security policy of the type conventionally associated with the use of firewalls. Instead, ISPs have typically left it up to their users to implement some type of firewall on their computers if they wish (referred to as xe2x80x9cclient-based firewallsxe2x80x9d).
Client-based firewalls typically require a certain amount of technical sophistication on the part of the user. For example, users requiring additional protection from attacks may be unaware either of the threat or the potential protection that can be provided by client-based firewalls. Even if the user is aware of the threat and the potential protection that can be provided by client-based firewalls, the user may be unable or unwilling to install a client-based firewall properly, e.g., because the user does not have the required technical expertise. Also, the user may fail to maintain the client-based firewall. For example, the user may fail to install updated software that addresses a newly discovered potential security weakness in the client-based firewall in a timely manner. Indeed, another shortcoming of client-based firewalls is that each user of a client-based firewall must separately update that user""s firewall.
The present inventors recognized the need for a server-based firewall solution that does not impose a one-size-fits-all solution on the users of an access server.
Implementations may include one or more of the following features. In one aspect, a method of controlling access to a client computer connected to a network (e.g., a public network) by a server (e.g., an access server) may include maintaining at the server a user-changeable security setting for the client computer. Also, the method may include selectively granting access to the client computer from the network if allowed by the user-changeable security setting.
Selectively granting access to the client computer may include receiving at the server a request to establish a connection (e.g., an inbound connection) between an outside computer and the client computer and, if allowed by the user-changeable security setting, establishing the connection between the outside computer and the client computer. Moreover, selectively granting access to the client computer may include receiving at the server an inbound packet from an outside computer and, if allowed by the user-changeable security setting, forwarding the inbound packet to the client computer. The inbound packet may be formatted according to a first protocol, which may be used by the network. Also, the inbound packet may be encapsulated according to another protocol (e.g., a protocol used by a value-added network connected to the server) before being forwarded to the client computer. The method also may include de-encapsulating the encapsulated inbound packet at the client computer.
The method further may include receiving a change to the user-changeable security setting from a user of the client computer, and providing the change to the server. The user-changeable security setting may prohibit inbound connections from being established or may allow inbound connections to be established (e.g., if an outbound connection was previously established by the client computer with the outside computer).
In another aspect, a system for controlling access to a client computer connected to a network may include a server (e.g., an access server) connected to the client computer and the network (e.g., a public network). The system also may include server software in a computer-readable medium comprising instructions for causing the server to maintain a user-changeable security setting and selectively grant access to the client computer from the network if allowed by the user-changeable security setting. In addition, the system may include client software in a computer-readable medium comprising instructions for causing the client computer to receive a change to the user-changeable security setting from a user of the client computer and provide the change to the server computer.
The server software may include instructions to receive at the server a request to establish a connection (e.g., an inbound connection) between an outside computer and the client computer and, if allowed by the user-changeable security setting, establish the connection between the outside computer and the client computer.
The server software also may include instructions to receive at the server an inbound packet from an outside computer and, if allowed by the user-changeable security setting, forward the inbound packet to the client computer. The inbound packet may be formatted according to a first protocol, which may be used by the network. The system may also encapsulate the inbound packet according to another protocol (e.g., a protocol used by a value-added network connected to the server) before forwarding the inbound packet to the client computer. The server software may also include instructions to de-encapsulate the encapsulated inbound packet.
In another aspect, a server for controlling access to a client computer connected to a network may include a first port for connecting the server to the client computer and another port for connecting the server to the network. The server also may include software in a computer-readable medium comprising instructions for causing the server to maintain a user-changeable security setting and selectively grant access to the client computer from the network if allowed by the user-changeable security setting.
In another aspect, client computer software in a computer-readable medium residing on a client computer that is connected by a server to a network may include instructions for causing the client computer to receive a change to a user-changeable security setting from a user of the client computer and provide the change to the server. The user-changeable security setting may be used by the server to selectively grant access to the client computer from the network if allowed by the user-changeable security setting. For example, the user-changeable security setting may be used by the server to establish a connection (e.g., an inbound connection) between an outside computer and the client computer if allowed by the user-changeable security setting. Also, the user-changeable security setting may be used by the server to forward an inbound packet to the client computer if allowed by the user-changeable security setting. The inbound packet is formatted according to a first protocol, which may be used by the network. Furthermore, the inbound packet may be encapsulated according to another protocol (e.g., a protocol used by a value-added network connected to the server) before being forwarded to the client computer. The software may also include instructions to de-encapsulate the encapsulated inbound packet.
One or more of the following advantages may be realized. A public network access server having a user-configurable firewall provides a server-based firewall solution that need not impose a one-size-fits-all solution on the users of the access server. The server-based firewall may be centrally managed by an ISP who presumably has the requisite expertise to properly manage such a server-based firewall. Also, the ISP may respond to new threats to, and/or vulnerabilities in, the server-based firewall by implementing a response at a centrally managed location of the sever-based firewall, as opposed to having each user of the access server separately implement such a response on each client computer. In addition by employing a default security setting, such an access server provides a degree of protection for those users who are unaware of the potential threats to their computers and/or the potential benefits of employing a firewall.
Further advantages and features will be apparent from the following description, including the drawings and the claims.