1. Field of the Invention
The present invention relates to a system, method, signal, and computer program product for providing secure wireless access to private databases and applications. More particularly, the present invention relates to providing secure access to private networks for wireless devices without requiring a separate wireless security/authentication infrastructure for the private network.
2. Discussion of the Background Art
Whenever an external computing device is connected to a corporate network, that network is subject to becoming more vulnerable to security breaches. Network Administrators are left with few tools to guard against break-ins. State of the art security systems generally require special hardware or are only compatible with a small number of products. This problem is exacerbated in large networks that have many points of access.
To address this problem, Lucent Technologies InterNetworking Systems has developed a distributed security solution called Remote Authentication Dial-In User Service, or RADIUS. RADIUS is an example of a client-server internetworking security protocol configured to control authentication, accounting, and access-control in a networked, multi-user environment. RADIUS provides a software protocol based approach to security that does not require special hardware. Distributed security separates user authentication and authorization from the communications process and creates a single, central location for user authentication data. The RADIUS protocols are defined in Internet Engineering Task Force (IETF) Request for Comments (RFC) 2138 dated April 1997 and 2139 dated April 1997, the entire contents of both being incorporated herein by reference. RADIUS is a TCP/IP application layer protocol as defined in TCP/IP Illustrated: The Protocols by W. Richard Stevens (1994) and TCP/IP Clearly Explained, Third Edition, by Pete Loshin (1999), the contents of both being incorporated herein by reference.
Based on a model of distributed security previously defined by the IETF, RADIUS provides an open and scaleable client/server security system. The RADIUS server can be easily adapted to work with third-party security products or proprietary security systems. To date, many types of communications servers or network hardware support the RADIUS client protocols and can communicate with a RADIUS server. RADIUS has become a widely accepted remote authentication protocol.
RADIUS supports a system of distributed security that secures systems against unauthorized access. A system based on RADIUS authentication includes a RADIUS authentication server and a RADIUS client. In conventional RADIUS systems, user authentication and network service access information is located on the RADIUS authentication server. RADIUS supports this information being in a variety of formats based on the customer's requirements. RADIUS, in its generic form, will authenticate users against, for example, a UNIX password file, Network Information Service (NIS), as well as a separately maintained RADIUS database. RADIUS-compliant communications servers operate to connect RADIUS clients with RADIUS servers. The RADIUS client sends RADIUS authentication requests to the RADIUS server and acts on responses sent back by the RADIUS server.
RADIUS is used to authenticate users through a protocol including a series of specially formatted messages between the client and the server. Once a RADIUS user is authenticated, the RADIUS client provides that RADIUS user with access to the appropriate network services.
FIG. 1 is an interaction diagram of an exemplary conventional RADIUS system for providing authentication over the Internet. The order of events in the diagram flows from top to bottom as indicated by the time progression identified by figure element 107. As shown in FIG. 1, an end user 101 initiates a session by dialing 108 into an Internet Service Provider's (ISP) 102 Point of Presence (POP) 103 on the Internet. The ISP POP 103 then requests 109 that the end user 101 identify himself. In response, the end user 101 provides, for example, a user ID, password, and access server identification 110. The ISP POP 103 then sends a RADIUS Access Request Message 111 containing the user identification information to its own ISP authentication server 104, which is a RADIUS server and awaits a response 117. Based on the user identification information provided in the RADIUS Access Request Message 111, the ISP Authentication Server 104 recognizes that the end user 101 is an access service provider 105 user. The access service provider 105 is, in this example, a third party that manages the access of remote end users 101 to a company's internal secure network (e.g., Company XYZ 106). FIBERLINK COMMUNICATIONS CORPORATION is an example of a company that provides this type of service. The ISP Authentication Server 104 therefore sends a RADIUS Access Request Message 113 containing the user identification information to the Access Service Provider 105 and awaits a response 116. Based on the user identification information provided in the RADIUS Access Request Message 113, the Access Service Provider 105 recognizes that the end user 101 is a COMPANY XYZ 106 user. The Access Service Provider 105 therefore sends a RADIUS Access Request Message 114 containing the user identification information to COMPANY XYZ 106 and awaits a response 115. Company XYZ 106 will then perform a RADIUS authentication for this particular end-user 101 and send either a RADIUS Access Granted or RADIUS Access Denied message 115 back to the Access Service Provider 105, which will then forward the RADIUS Access Granted or RADIUS Access Denied message 116 to the ISP authentication server 104, which in turn, forwards the RADIUS Access Granted or RADIUS Access Denied message 117 to the ISP POP 103, which finally generates and transmits a corresponding access granted/access denied status message 118 to the end user 101.
A limitation associated with the above-described capability is that it does not readily accommodate wireless users and their applications. Wireless devices (e.g., Personal Digital Assistants (PDA) and wireless laptops) have become popular productivity tools, and given their portability, have become a desired tool for accessing applications and databases on secure networks from remote locations. Typically, access is via the Internet as accessed through a wireless network provider. Because wireless network providers do not provide the services that an ISP provides, the ability to have RADIUS-authenticated connections from remote wireless devices is limited. Therefore, a tension has been created between providing the convenience of wireless remote access and maintaining a secure network.
One proposed solution to this problem is to provide a parallel authentication capability tailored to the needs of wireless users, wireless data services and communication technologies used in wireless networks. However, maintaining more than one authentication database in an organization is an administrative burden for information security personnel who must update multiple databases when employees or other authorized users arrive, depart, or otherwise change their access posture. Furthermore, maintaining more than one authentication database is an operational annoyance to users who may be required to maintain different passwords and be trained in different information security techniques for wireless and non-wireless access. Even further, as more access paths are provided for a network, more opportunities for a security breach or failure are created.