The invention is directed to network security and to a method and system for controlling access to a protected network resource.
Network security systems use a variety of “tokens” to establish the identity of a user trying to log-in or gain access to the network. Most commonly, these tokens will include a username and a secret password. However, passwords can become known to third parties through the user having inadvertently disclosed them, as a result of writing them down, from phishing or through interception. To increase security further one-time passwords generated by a small electronic device carried by the user may be used or a set of security questions with answers may be established by the user allowing the system to challenge the user before granting access. However, use of one-time passwords and security questions can become a burden on the user.
It has been suggested that security can be enhanced where access to a network is made inside a secure building or site by integrating the building access security system with the network security system. This could be particularly useful for wireless networks where a user's physical location is not defined. Many offices now support wireless access to corporate networks but the wireless field often extends beyond the physical boundary of the building providing an opportunity for unauthorised “snoopers” to access the corporate network.
According to such a system, a user log-in attempt is collated with the security check that is performed on people attempting to enter each secure site. For example, each secure site has one or more access control points, normally involving a security barrier, such as an automatic door or gate operated by a personal electronic identity card. A physical barrier may not always be required and may be replaced by a checkpoint; either automatic or, possibly, staffed by security personnel, allowing the user's identity card to be read before entering the secure site. These identity cards are electronic, in as much as they have the ability to store information related to the carrier of the card (i.e. the employee). The identity card may be of the “swipe” type (where a magnetic strip contains encoded data identifying the holder of the card). Alternatively, the identity card may be a “proximity” type wherein a semiconductor memory, or similar, contains data that is communicated to the electronics in the security barrier by a very low-range radio link.
Accordingly, for a user to log-in to the secure corporate network, they have first to pass through the building security barrier and, in the process, to identify themselves to the building access security system. The building access security system is linked to the network access system to allow this information to be shared.
A problem can arise where the building access control system does not require users to register on leaving the secure building or site (i.e. to swipe-out) or if a user manages to avoid the exit barriers, for example during a building evacuation exercise. This can weaken the effectiveness of using a record of building presence to support authentication of a user.
The present invention provides a method for controlling access to a protected network resource comprising the steps of: receiving a request and user credentials from a user via a network access point located within a restricted area for access to the protected network resource; checking the user credentials against predetermined user information so as to authenticate the user; checking whether the user is recorded as being within the restricted area; allowing the user access to the protected network resource if the user credentials are authenticated and the user is recorded as being within the restricted area; monitoring the user's network connection and on detection that the user is disconnected from the network, recording the user as not located within the restricted area.
According to a preferred embodiment, the method includes consulting an access control system for the restricted area as to whether the user is within the restricted area and recording the user's location accordingly.
According to a preferred embodiment, the method includes on detection that the user is disconnected from the network, overwriting the record of the user's location to indicate that the user is no longer within the restricted area.
According to a preferred embodiment, the method includes including establishing a database including information on the user's location and network authentication status in which checking whether the user is recorded as being within the restricted area includes checking the database.
According to a preferred embodiment, the method includes comparing the time of the recorded entry into the restricted area with the time of the request and allowing the user access to the protected network resource if the request occurs within a set time period after the recorded entry.
According to a preferred embodiment, the method includes requiring additional credentials from the user to support the user's request when the user is not recorded as being within the restricted area.
According to a preferred embodiment, the restricted area access control system records the user as having entered the restricted area following a successful challenge, in which the challenge consists of at least one of: verifying a physical security token; and verifying security information provided by the user via a terminal.
According to a preferred embodiment, the method includes detecting that the user is disconnected, receiving a new request for access and allowing the user access to the protected network resource if the user is recorded as re-entering the restricted area.
According to a preferred embodiment, the step of checking whether the user is recorded as being within the restricted area precedes checking the user credentials.
The present invention also provides an access controller for controlling access to a protected network resource: in which the access controller is arranged for connection to a network access point located within a restricted area; in which the access controller is arranged to receive a request for access to the protected network resource and user credentials from a user via the network access point and to check the user credentials against predetermined user information so as to authenticate the user; in which the access controller is arranged to check information from a restricted area access control system as to whether the user is recorded as being within the restricted area; in which the access controller is arranged to allow the user access to the protected network resource if the user credentials are authenticated and the user is recorded as being within the restricted area; in which the access controller is arranged to monitor the user's network connection and on detecting disconnection of the user from the network, the access controller is arranged to record the user as not located within the restricted area.
According to one aspect, the access controller comprises means for accessing storage for storing user status information, in which the user status information comprises: information from the restricted area access control system indicating that the user has registered their entry into the restricted area; information from an authentication system indicating that the credentials supplied by the user have been accepted; in which the access controller is arranged to update, upon detecting disconnection of the user from the network, the information from the restricted area access control system to indicate that the user has left the restricted area.
According to a further aspect, the information from the restricted area access control system indicating that the user has registered their entry into the restricted area derives from one of: the user passing an access control point to enter the restricted area; and the user communicating with the restricted area access control system via a terminal.
According to a further aspect, the access controller is arranged, upon determining that the user is not recorded as being within the restricted area, to require additional credentials from the user to support the user's request.
According to a further aspect, the access controller is arranged to record the time of the user's entry into the restricted area and the time of the request and to allow the user access to the protected network resource if the request occurs within a set time period after the entry. The present invention also provides a computer network comprising the access controller.