1. Field of the Invention
The present invention relates in general to securing access to a computer and computer data, and more particularly to a security methodology for securing access to an enterprise network or extranet having access from the public Internet.
2. Background Art
In conventional remote connect computer systems, a connection is made with a large legacy system via a dial-up connection from a customer owned terminal, personal computer or workstation. This connection frequently, although not always, is a fixed copper connection through one or more telco central offices and emulates a terminal addressable by the legacy systems and employs a security methodology dictated by the legacy system. The dial-up access requires custom hardware for a terminal or custom software for a workstation to provide a remote connection. This includes dial-up services, communication services, emulation and/or translation services and generally some resident custom form of the legacy application to interface with the midrange or mainframe computer running the legacy system.
There are several problems associated with this approach. First, the aforementioned software is very hardware dependent, requiring multiple versions of software compatible with each of a wide range of workstations customers generally have. In addition, an extensive inventory of both software and user manuals for distribution to the outside customers is required if an enterprise desires to make its resources available to its customers. Moreover, installing the software generally requires an intensive effort on the customer and the software support team before any reliable and secure sessions are possible.
Secondly, dial-up, modem, and communications software interact with each other in many ways which are not always predictable to a custom application, requiring extensive trouble shooting and problem solving for an enterprise desiring to make the legacy system available to the customer, particularly where various telephone exchanges, dialing standards or signal standards are involved.
Thirdly, although businesses are beginning to turn to the Internet to improve customer service and lower costs by providing Web-based support systems, when an enterprise desires to make more than one system available to the customer, the custom application for one legacy system is not able to connect to a different legacy system, and the customer must generally logoff, logon and re-authenticate to switch from one to the other. The security and entitlement features of the various legacy systems may be completely different, and vary from system to system and platform to platform. The security methodology used by the two legacy systems may be different, requiring different logon interfaces, user or enterprise IDs and passwords. Different machine level languages may be used by the two systems as for example, operating systems utilizing the 256 (=28) character combination EBCDIC used by IBM, and 128 (=27) character combination ASCII used by contemporary personal computers.
It is therefore desired to provide remote customers with secure connectivity to enterprise legacy systems over the public Internet. The public Internet provides access connectivity world wide via the TCP/IP protocol, without need to navigate various disparate security protocols, telephone exchanges, dialing standards or signal standards, thereby providing a measure of platform independence for the customer.
As contemplated with the present invention the customer can run their own Internet Web browser and utilize their own platform connection to the Internet to enable services. This resolves many of the platform hardware and connectivity issues in the customers favor, and leaves the choice of platform and operating system to the customer. Web-based programs can minimize the need for training and support since they utilize existing client software which the user has already installed and already knows how to use. Further, if the customer later changes that platform, then, as soon as the new platform is Internet enabled, service is restored to the customer.
The connectivity and communications software burden is thus resolved in favor of standard and readily available hardware and the browser and software used by the public Internet connection.
Secure World Wide Web (Web)-based online systems are now starting to emerge, generally using security protocols supplied by the browser or database vendors. These Web-based online systems usually employ HTTPS and a Web browser having Secure Sockets Layer (SSL) encryption, and they display Hypertext Markup Language (HTML) pages as a graphical user interface (GUI), and often include Java applets and Common Gateway Interface (CGI) programs for customer interaction.
For the enterprise, the use of off-the-shelf Web browsers by the customer significantly simplifies the enterprise burden. Software development and support resources are available for the delivery of the enterprise legacy services and are not consumed by a need for customer support at the workstation level.
However, the use of the public Internet also introduces new security considerations not present in existing copper wire connections, as an open system increases the exposure to IP hijackers, sniffers and various types of spoofers that attempt to collect user IDs and passwords, and exposes the availability of the service to the users when the system is assaulted by syn-flooding, war dialers or ping attacks. These measures also need to be combined with traditional security measures used to prevent traditional hacker attacks, whether by copper wire or the Internet, that might compromise the enterprise system and its data.