The present invention relates to a computer systems, and in particular to a networked client/server computer system configured to establish a trusted workstation.
Client/server computing has become quite a popular architecture in both small and large organizations. As known, these systems include a computer system which operates as a server for a plurality of personal computers and/or workstations, which are generally connected to the server via a network connection comprising a local area network (LAN) or a wide area network (WAN).
Client/server computing networks have dramatically increased and facilitated the access to information. However, due to ubtiqious nature of computer networks the threat to the integrity of the information stored on network resources due to xe2x80x9chackersxe2x80x9d/xe2x80x9cattackersxe2x80x9d and malicious software components (e.g., operating system and application program viruses) has also increased. Threats include any person, place or thing which poses some danger to a network asset.
Security of the information transmitted over the network must be assured when the network is used to transmit information for businesses such as banking, brokerage, government entities and other users of highly confidential or commercially valuable information. A known threat to the security of information available on a network is a hacker/attacker who poses as an authorized user of the network by impersonating the authorized user. Passwords and other similar operating system level security features often only make it difficult for the hacker/attacker to gain access to the network. However, a patient and capable hacker/attacker can generally bypass most conventional operating system level protections to access the network.
Therefore, there is a need for a technique for ensuring the security of the information stored on a client/server networked computer system and to provide a secure, trusted workstation.
An object of the present invention is to provide a trusted workstation.
Another object is to restrict communications between a trusted workstation and a known/authorized server.
A further object is to provide a trusted distributed data processing system.
Yet another object is to prevent an unauthorized network user from impersonating an authorized network user.
Briefly, according to the present invention, a trusted workstation includes a network interface card (NIC) with trusted computing base (TCB) extensions that provide for securely booting the workstation and performing subsequent receive and transmit packet filtering operation in support of a network""s system architecture requirements. The term xe2x80x9cTCB extensionxe2x80x9d refers to extensions of the server""s TCB that operate as part of the workstation""s network trusted computing base (NTCB).
The NIC comprises a send address confirmation circuit which contains a trusted source address (e.g., a medium access control (MAC) address or a network layer address) uniquely associated with the trusted workstation. In general, the source address can be any address that identifies the source of a packet, including for example the MAC address, Internet address, transport layer address or session layer address, etcetera. For each packet transmitted from the trusted workstation over the network, the NIC checks the source address inserted in the packet by an NIC driver to ensure that this driver-inserted source address matches the trusted source address. Thus, if untrusted software on the workstation attempts to transmit a packet with a source address other than the trusted source address, the NIC prevents the packet from being transmitted. This prevents malicious attempts by a hacker/attacker to forge packets from a workstation with another workstation""s source address.
The NIC also includes a receive address confirmation circuit that functions to ensure that the trusted workstation does not receive packets from entities other than known/authorized servers. That is, the NIC compares the source address of a packet received over the network to verify that it is from a authorized server. Significantly, if each workstation on a network is populated with a NIC, the known/authorized servers will control all packets on the network and can trust the source of all requests.
The send and receive address confirmation circuits are trusted because the contents of registers resident in these circuits are written to and modifiable only during a pre-boot state, which is the only time the untrusted elements (e.g., untrusted software on the workstation) are not accessed. That is, following a hardware reset and prior to execution of the operating or application software on the workstation, enforcement registers with the send and receive conformation circuits are written to with source address data, and then write disabled to prevent subsequent loading of unauthorized source address data.
Specifically, following a hardware reset of the workstation, the NIC is initialized and pre-boot modules are downloaded to the workstation over the network from a known server under the control of instructions resident in an adapter BIOS on the NIC. The NIC may be located on an expansion board separate (e.g., ISA or PCI compatible) from the workstation motherboard, or on the motherboard. Once the pre-boot modules are down loaded to the workstation, the pre-boot modules are executed to perform a loginxe2x80x94identification and authentication (I and A) function for the user and to load the enforcement registers with the send and receive trusted source address information. The enforcement registers are then locked (i.e., write disable) to prevent the contents of the send and receive enforcement registers from being modified until another hardware reset occurs. Once execution of the pre-boot modules is complete, the NIC BIOS transfers code execution to a workstation system BIOS to complete the initialization of the workstation.
The pre-boot modules resident in the NIC BIOS for performing the I and A function include executable code which communicates with the server to verify the identity of the user, log the user into the network once the identity is verified, and establish a connection with the server.
The NIC can enforce as a source address (i.e., compare source addresses) associated with the data link layer address, network layer source addresses or any other address that is used to identify the source of the packet. The data link layer address is the network medium""s address and is a hardware based value which is stored in the NIC. For Ethernet networks this address is often referred to as the MAC address. The network layer address is a protocol specific logical address, and therefore is understood to be above the data link layer address in the protocol stack associated with the network. To implement network layer source address enforcement, few intermediate network components (e.g., routers and bridges) need to be involved since the network layer source address is left unchanged by retransmission devices. However, with data link layer source address enforcement, at least one of the retransmission devices needs to be involved in the source address enforcement since the data link layer source address is modified as it traverses many of these devices, including routers.
An advantage of the present invention is that it provides an inexpensive technique for providing trusted workstations suitable for use in networks with heightened security requirements.
These and other objects, features and advantages of the present invention will become more apparent in light of the following detailed description of preferred embodiments thereof, as illustrated in the accompanying drawings.