1. Field of the Invention
The present invention relates to networks, and more specifically to a method and apparatus for preventing unauthorized use of a permanent virtual connection provisioned on a network.
2. Related Art
Networks are often used to provide virtual connections between end systems. A typical network includes several network elements (e.g., switches, routers, DSL access multiplexors) to provide a virtual connection between two end systems (e.g., telephones, computer systems). A connection provides the necessary data transport to enable network applications (e.g., voice calls, remote access) between the two end systems. A connection is generally referred to as a virtual connection due to the absence of dedicated wires connecting the end systems.
In a typical situation, a user uses a user system (e.g., computer system implementing client software) to access a protected system (e.g., a computer system implementing server software). An accessed system is generally referred to as a protected system because it is often desirable to prevent unauthorized access to the accessed system. The user system and protected system are examples of end systems. In general, several user systems access a protected system and an organization (e.g., a corporation) may have several protected systems serving several different purposes and applications.
Some connections between user systems and protected systems may be provided as permanent virtual connections (PVCs). A permanent virtual connection generally refers to a virtual connection which not terminated when not in use. As an illustration, a non-permanent virtual connection may be terminated when a voice call using the connection is terminated. On the other hand, a permanent virtual connection may not be terminated even if a voice call using the connection is terminated.
Devices such as customer premise equipment (CPE) are often used in provisioning the PVCs (any virtual connections, in general) as is well known in the relevant arts. A typical PVC is provisioned between two dedicated CPEs. A user system generally sends and receives data to/from one CPE (conveniently termed as xe2x80x9cuser CPExe2x80x9d hereafter) and a protected system sends and receives data to/from another CPE. The CPEs in turn use a provisioned PVC for transferring the data between the user system and the protected system.
One problem with such PVCs is that there may be an enhanced risk of unauthorized access to protected systems. The risk is generally due to the feature of not terminating PVCs even when not in use. As an illustration, an authorized user may first logon to a protected system from a user system using a provisioned PVC and leave the session active. As the PVC is not terminated even if no data is transferred, an unauthorized user may later work with the protected system using the same user system and active session. Such unauthorized access may be undesirable.
Password type authentication mechanisms are often used on protected systems for protection against unauthorized use. Some protected systems may use periodic authentication, at least upon inactivity in a session. Such periodic authentication may prevent unauthorized access in some situations. However, not all protected systems may have such periodic authentication mechanisms. In addition, authentication mechanisms may not be robust on the protected systems. Accordingly, an administrator of the protected systems may be concerned about the risk of unauthorized use and access of the protected systems.
Therefore, what is needed is a method and apparatus for preventing unauthorized use and access of any protected systems accessible by a permanent virtual connection provisioned on a network.
The present invention may prevent unauthorized use of a permanent virtual circuit (PVC) (xe2x80x9cmanaged PVCxe2x80x9d) by forcing a user to authenticate upon the occurrence of a pre-specified condition. A telecommunication system in accordance with the present invention may include a user system connected to a user CPE, and a protected system connected to a managed CPE. A network is provided between the two CPEs. A managed PVC may be provisioned on the network between the user CPE and the managed CPE.
In accordance with the present invention, a connection manager may determine whether any pre-specified condition has occurred. If the condition has occurred, the connection manager may block data transfer on the managed PVC by interfacing preferably with the managed CPE. Absence of data transfer for a pre-specified duration is an example of a condition.
The user may then be required to authenticate before allowing the data transfer on the managed PVC. An out-of-band connection may be used for such authentication. The out-of-band connection may be implemented by another PVC provided on the same network supporting the managed PVC.
Due to the authentication procedure, unauthorized use of the managed PVC may be prevented. In addition, as the out-of-band connection can also be provided on the network, the implementation of authentication procedure may be simplified.
In an embodiment, the connection manager includes an access control block and an authentication server. The access control block may control the data flow on the managed PVC by controlling the managed CPE. The access control block may be designed to operate with a pre-existing authentication server used by any other systems, thereby reducing the cost of implementing the present invention.
Thus, the present invention may prevent unauthorized use of a managed PVC by requiring a user to authenticate periodically.
The present invention prevents (or minimizes) unauthorized use of protected systems irrespective of the robustness of any authentication loopholes on protected systems as the user is required to authenticate for transferring data on the PVCs providing access to the protected systems.
The present invention provides a cost-effective mechanism for authentication by providing another PVC using the shared network.
The present invention enables pre-existing authentication servers to be used by separating the access control block from the authentication server.
Further features and advantages of the invention, as well as the structure and operation of various embodiments of the invention, are described in detail below with reference to the accompanying drawings. In the drawings, like reference numbers generally indicate identical, functionally similar, and/or structurally similar elements. The drawing in which an element first appears is indicated by the leftmost digit(s) in the corresponding reference number.