1. Field of the Invention
The present invention relates to the field of data communications. More particularly, the present invention relates to a system and method for static selection of tunnel-based network connections.
2. The Background Art
A significant concern of the individual private and public domains making up the Internet or any other system incorporating multiple networks is the ability to ensure that only those subscribers who are authorized to access the individual private and public domains within the comprehensive network have the capability to access such networks. Serious security risks are posed by the possibility of unauthorized users having the know-how and capability to invade the individual private and public domains within the network.
In today's networking environment, many privately owned domain sites exist on the Internet that allow access only to those individuals which have been granted the proper authorization. For example, these may include company owned private domains containing confidential information and, as such, the company may grant access only to those employed by the company, or they may be communities of interest (i.e. “pay-sites”) that provide information only to those subscribers which subscribe to the privately owned domain. The subscriber who connects to the Internet, typically by means of an Internet Service Provider (ISP) or Telephone Company (Telco), may also possess the capability to assume the identity of an authorized user. This capability heightens the potential for security violations.
Additionally, it is becoming increasingly more prevalent for individual computer users to have the capability to remotely access privately owned intra networks. Such Virtual Private Networks (VPNs) allow the user to connect with the private intra network of the company from the user's residence by means of the telephone line or other convenient means. The inception of wireless remote connections have even made it possible for users to connect from almost any imaginable locale. The ability to connect remotely to individual private intra networks, once seen as a luxury, has become so commonplace that many working professionals require such access in order to accomplish their everyday job assignments. In many instances, remote users connect to privately owned intra networks through the same means that individuals connect to the Internet, typically Telcos or ISPs. VPNs are cost-effective because users can connect to the Internet locally and tunnel back to connect to corporate resources. This reduces overhead costs associated with traditional remote access methods.
FIG. 1 shows a simplified diagram of a computer user connected to a computer network 10 via a host computer 12 linked to an access point 14 which grants authorization to external networks or domains 16, 18 and 20. The potential for a network security violation is posed by the user having the capability through the access point 14 to reach or “Knock on the door” of home gateways 22, 24 and 26.
Still referring to FIG. 1, the user has access to the computer networks through a workstation or host computer 12. The host computer 12 has the capability to connect with the external networks through an access point 14. An access point 14 is essentially an external location capable of permitting authorized users to access external computer networks. Typically, the access point consists of a series of Network Access Servers (NASs) and other related hardware, software and/or firmware. An access point 14 may also include a modem pool (not shown) maintained by a Telephone Company (Telco) or an Internet Service Provider (ISP) which enables its authorized users or subscribers to obtain external network access through the host computer 12 which has the required dial-up connection capability. Those of ordinary skill in the art will recognize that other types of access methods may be provided by a Telcos or ISP such as frame relay, leased lines, ATM (Asynchronous Transfer Mode), ADSL (Asymmetric Digital Subscriber Line) and the like.
Typically, when the user desires to access a specified domain, such as the first privately owned secured domain site 16, the user runs a network logon application program on the host computer 12 which requires the user to input user identification and authorization information as a means of initiating access to the desired network. This information is then directed to the access point 14 where it is verified to ensure that the host user has the required authorization to permit access to the desired network. Once authorization is granted to the user, a connection is established via the access point 14 with the home gateway 22 of the specified first privately owned secure domain site 16. The connection established may be a tunnel-based connection, such as L2TP (Layer Two Tunneling Protocol) or L2F (Layer Two Forwarding), or an IP-based (Internet Protocol) connection, such as used with ATM or frame relay. The user of the host computer 12, having established such a connection, has the ongoing capability to access the specified domain until the connection is terminated either at the directive of the user or by error in data transmission. The access point 14 will typically have the capability to connect the user to various other privately owned secured domain sites, such as the second private domain site 18 or the public Internet 20. The user of the host computer 12 may use the PPP protocol to connect through the wholesaler networks to another Home Gateway.
Layer 2 Tunneling Protocol (L2TP) is used in many Virtual Private Networks (VPNs). An L2TP access concentrator (LAC) is a device that the client directly connects to and that tunnels Point-to-Point (PPP) frames to the L2TP network server (LNS). The LAC is the initiator of incoming calls and the receiver of outgoing calls. An L2TP network server (LNS) is the Termination point for an L2TP tunnel and the access point where PPP frames are processed and passed to higher layer protocols. The LNS handles the server side of the L2TP protocol. The LNS terminates calls arriving at any of the LAC's PPP interfaces, including asynchronous, synchronous and ISDN. The LNS is the initiator of outgoing calls and the receiver of incoming calls.
FIG. 2 is a block diagram that illustrates an L2TP tunnel and how a user typically connects to a privately owned domain site such as a corporate intranet. Using L2TP tunneling, an L2TP access concentrator (LAC) 100 located at the ISP's point of presence (POP) 105 exchanges PPP messages 110 with remote users 115 and communicates by way of L2TP requests and responses with the customer's L2TP network server (LNS) 120 to set up tunnels 125. The L2TP protocol passes protocol-level packets through the virtual tunnel 125 between end points of a point-to-point connection. Frames from remote users are accepted by the ISP's POP 105, stripped of any linked framing or transparency bytes, encapsulated in L2TP and forwarded over the appropriate tunnel 125. The customer's home gateway 120 accepts these L2TP frames, strips the L2TP encapsulation, and processes the incoming frames for the appropriate interface.
Turning now to FIG. 3 a block diagram that illustrates the use of AAA servers in an L2TP tunneling network is presented. The selection of the L2TP tunnel 200 at the LAC 205 or NAS is typically determined by an authentication, authorization and accounting (AAA) server 210 based upon the structured username (username@domain) in the PPP authentication packet. The AAA 210 looks up a service profile that matches the domain name string. The service profile includes the IP address of the L2TP network server (LNS) 215 and a password for the tunnel 200. Once tunnels are established, the LAC 205 forwards the subscriber's PPP session to the destination LNS 215 through the L2TP tunnel 200. The ISP or enterprise customer 220 receives new PPP sessions and authenticates the sessions using AAA server 225. Authenticated sessions are established on the LNS 215, while sessions that fail authentication are rejected.
Present methods of establishing a tunnel allow an unauthorized user to reach or “Knock on the door” of another Home Gateway 215, merely by changing the domain name provided in the PPP authentication packet to the domain name of the intended Home Gateway 215. In this scenario, all users having access to access point 205 would have the potential to reach the privately owned secured domain site. For example, a user having a domain name of xxx@corpA.com may change the domain name in the PPP authentication packet to xxx@corpB.com, allowing the user's PPP session to be forwarded to the corpB LNS through the L2TP tunnel assigned to corpB. Allowing such unauthorized access to a Home Gateway 215 subjects the Home Gateway 215 to potential security risks, including denial of service attacks.
Denial-of-service attacks typically focus on making a service unavailable for normal use, which is often accomplished by exhausting a resource limitation on the network or within an operating system or application. When involving specific network server applications, these attacks can focus on acquiring and keeping open all of the available connections supported by that server, effectively locking out valid users of the server or service. For example, a user intending to exploit present day L2TP systems could flood the network with many PPP sessions targeted to a Home Gateway for which the user is not authorized. Although the LNS authentication process would typically prevent an unauthorized user from access to the corporate intranet, the resources devoted to handling the large number of PPP sessions could adversely affect the services available to authorized users.
The currently available solutions to this problem are very limited and do not offer the level of security protection that most companies operating secured and confidential private intra networks demand. Companies have been able to minimize the risk by setting up internal access points which effectively cause the user/host to dial-in or connect directly with the private intra network without going through an external ISP or Telco. While this direct-connect service allows some measure of security it does so at the expense of increasing the costs associated with maintaining an internal access point and the additional connection costs related to remote users having to potentially incur long distance telephone service charges.
What is needed is a solution that prevents unauthorized PPP sessions from being forwarded to a destination LNS. A further need exists for such a solution that does not alter the original PPP authentication packet.