RU2316126C2 - Personal remote inter-network screen - Google Patents

Abstract

FIELD: method and server (10) of virtual private network (VPN) gateways for providing rules for wireless access through protected tunnel connection into corporate network (20).

SUBSTANCE: in accordance to the invention, corporate network (20) is protected by functional capabilities of inter-network screen with different access configurations for different remote users. Server (10) of VPN-gateways includes database (15) of users, which provides rules for accessing corporate network (20) for each user with usage of protected tunnel. Access rules include certain sets of TCP-ports, associated with certain users. Server (10) of gateways limits access of authenticated user to corporate network (20), where access is performed by means of tunnel connection, provided by server (10) of gateways, to associated permitted server TCP-ports.

EFFECT: expanded functional capabilities.

3 cl, 2 dwg

Description

FIELD OF THE INVENTION

The present invention relates to a method and server for virtual private network gateways (VPNs) for providing rules for wireless access over a secure tunnel connection to a corporate network.

BACKGROUND OF THE INVENTION

It is expected that the desire and ability to use wireless terminals to access the Internet will grow rapidly over the coming years. Such access will be significantly improved by third-generation mobile networks (3G), which mobile network operators have implemented or are ready to introduce worldwide. In addition, existing mobile networks have recently been upgraded with additional functionality to facilitate such access, for example, GSM (global mobile communication system) networks, upgraded with GPRS (General Packet Radio Broadcast) functionality.

At the same time, the number of employees who want to use wireless terminals to access their company’s resources when they are away from the office is constantly increasing, especially with the introduction of more and more powerful wireless devices that provide the functionality that makes them applicable as a tool for remote work.

The desire to provide wireless access to corporate network resources, together with the increasing opportunities for wireless access to the Internet, will increase the deployment of virtual private networks (VPNs) by companies to provide customers with wireless access to company resources.

In general, a virtual private network (VPN) is a concept that builds a secure private communications infrastructure on top of a public network. The logical concept of a VPN tunnel replaces a private communication line, and a tunnel can interconnect two nodes of a corporate network, the so-called inter-site VPN, or interconnect a remote user with a corporate network, the so-called remote access VPN.

In a remote access VPN, the VPN gateway server typically interconnects the corporate network with the Internet. Thus, a user can use a telephone line Internet connection provided by an Internet service provider to connect to a corporate network via a VPN gateway server. Since the user connects through the public network, certain security measures must be taken, typically encrypting the connection and authenticating the user. After the VPN gateway server successfully authenticates the user over the encrypted connection between the client and the corporate VPN gateway, the user is provided with access to the corporate network through the so-called secure VPN tunnel. Using the tunnel, the user is able to access various resources in the company’s network. Similarly, if users use wireless client terminals that access the Internet through a wireless network, secure VPN tunnels can be established between wireless clients and a VPN gateway through a wireless network and the Internet, thereby enabling wireless remote access to corporate network resources. .

As it was established, access to the corporate network through a secure connection of the VPN tunnel implies encryption of the connection and authentication of the accessing user. However, once a secure tunnel connection is established, there are no user-specific access rules within the tunnel. Instead, the tunnel allows the wireless client to use all the TCP ports (transmission control protocol ports) that are constantly open to any authenticated accessing user.

The presence of permanently open TCP ports within a secure loop-through connection for all authenticated users is not consistent with the fact that many employees using wireless client terminals only need access to certain applications within the corporate network. Moreover, some employees may not even be authorized (authorized) to access certain corporate applications. Therefore, it is desirable to provide a design that, in a simple way, allows the company to control the extent to which wireless clients are given the opportunity to access the corporate network within a secure VPN tunnel.

SUMMARY OF THE INVENTION

The present invention provides a VPN gateway with firewall functionality that is capable of distinguishing between the types of access allowed by different users to the corporate network.

According to the invention, these functionalities are achieved by the method according to independent claim 1 of the claims and the gateway server of the virtual private network according to independent claim 12 of the claims. Preferred embodiments are defined in the dependent claims.

The idea that the present invention is based on is to provide wireless remote access to a corporate network that is protected by firewall functionality, with different access configurations for different remote users.

According to the invention, the VPN gateway server includes a user database that provides rules specific to each user for accessing the corporate network using a secure tunnel. The rules include specific sets of TCP ports associated with the respective individual users. The gateway server restricts the authenticated user access to the corporate network, which access is made through the tunnel connection provided by the gateway server to the associated allowed server TCP ports.

Thus, instead of allowing the authenticated user to use any available server TCP ports within the secure tunnel, the firewall functionality of the VPN gateway server according to the present invention will merely provide the user with the ability to access the corporate network through the secure tunnel using server TCP ports associated with the user in the user database. This means that it is possible to distinguish between types of access to the corporate network that are allowed for different users. For example, a single user may be given the opportunity to use all the available TCP ports, or sockets, within a secure tunnel, thus allowing remote interaction with a different number of applications on the corporate network. At the same time, another user may be given the opportunity to use only server TCP ports for remote interaction with the e-mail server process on the corporate network.

The secure tunnel is preferably associated with a specific server TCP port of the gateway server, while the allowed TCP ports for real user traffic within the tunnel are pre-configured in the user database. The server TCP port for the tunnel itself is preconfigured in the user application.

Preferably, user access to the corporate network contains two separate TCP sessions. One is a VPN tunnel in the form of an encrypted connection between the user wireless client terminal and the gateway server, and one session is between the gateway server and the internal server of the corporate network. In the last of the two TCP sessions, the gateway server acts as a client with respect to the server socket specified by the allowed server TCP port.

The user database can be configured in various useful ways to control and refine user access to the corporate network via a tunnel connection. Some of these possible configurations are discussed below.

Preferably, the user database associates the server TCP port number of an individual user with a separate IP address (Internet Protocol address) within the corporate network. Thus, user data of different clients using the protocol of the same port through either using the same well-known sockets or using different TCP port numbers associated with the protocol of the same port can be forwarded to the recipients of information with different IP addresses within the corporate network. These recipients of information can then be used to distinguish between available resources and applications for different users using the same access protocol.

Advantageously, the allowed server TCP ports of the user are the client side server TCP ports associated in the user database with the corresponding server side server TCP ports. This provides the ability to associate different server TCP ports of the client side with the same server TCP port of the server side. This is useful because it gives the client the ability to run, for example, two different instances of the client application processes with respect to the same server application process. For example, a client can have two parallel mail client processes communicating with the same mail server process.

In addition, it is useful to configure the user database to associate different client-side TCP ports that are allowed for a single user with the same server-side TCP port, but with different IP addresses. Thus, the client is able to receive parallel connections, using the same protocol, with different IP addresses on the corporate network, using different client-side TCP ports for different connections. This provides an opportunity for the client to have at their disposal different parallel processes of the mail client, which communicate with different processes of the mail server at different IP addresses.

Advantageously, the user database is configured to associate the client side server TCP port with the server side server TCP port and the IP address of the corporate DNS server (domain name service server) within the corporate network. This gives the client of interest the ability to use the corporate DNS service within the tunnel connection.

The set of allowed server TCP ports within the tunnel that are associated with a particular user is preferably transmitted to the user after he has been authenticated. Thus, the user will be informed about those server TCP ports that are allowed to be used in the tunnel, in the case when the client has not been preconfigured using information about such allowed server TCP ports. In addition, this makes it possible to change the allowed TCP ports in the user database without the need to reconfigure the client accordingly before using the tunnel connection.

Server TCP ports allowed for use by the client can be well-known sockets or arbitrary ports. In the case where arbitrary server TCP ports are used, an embodiment of the invention provides that the user database associates a port-specific protocol with allowed server TCP ports, which protocols are transmitted to the client along with the TCP ports after authentication.

The above and additional features and advantages of the present invention will be more fully understood from the following description of a number of illustrative embodiments of the invention. As you know, various modifications, changes and various combinations of features that fall within the essence and scope of the invention will become apparent to specialists in this field of technology when studying the main idea presented in the materials of this application, and the subsequent detailed description.

LIST OF FIGURES

Illustrative embodiments of the present invention will now be described with reference to the accompanying drawings, in which:

Figure 1 is a schematic representation of an illustrative environment of the system as a whole, in which an embodiment of the invention is enclosed and operational; and

Figure 2 is a schematic representation of the same illustrative environment of the system as a whole, in which another embodiment of the invention is enclosed and operational.

DETAILED DESCRIPTION OF THE INVENTION

With reference to FIG. 1, the invention will now be described in more detail. 1 shows a gateway server 10 of a virtual private network (VPN) interconnecting a corporate network 20, typically an Internet network (a local area network using Internet technologies) and an Internet network 30. A user wireless client terminal 40 is shown as having access to Internet via a wireless network 50.

The VPN gateway server includes a user database 15 configured to associate different users with different user-specific rules for accessing the corporate network 20. The user database provides user-specific rules by associating different users with different sets server TCP ports, which are allowed to be used when accessing the corporate network through the connection of the VPN tunnel.

The VPN gateway server 10 is configured to use one specific server TCP port to provide a secure VPN tunnel with which the user can access the corporate network 20 using the wireless client terminal 40. The tunnel is created when the wireless client 40 uses this a specific port to initiate an encrypted SSL connection (secure socket level connection) between the client 40 and the gateway server 10 as a native session. This session ends on the gateway server. Additional connections between the gateway server 10 and the internal servers of the corporate network 20 are provided through new unencrypted separate TCP sessions.

Thus, user access to the internal server of the corporate network 20 is provided through a separate TCP session between the client 40 and the gateway server 10 and an additional TCP session between the gateway server 10 and the internal server, where the gateway server acts as a client.

The VPN gateway server 10 further includes authentication means 11 for authenticating the user connecting to the VPN tunnel, port filtering means 12 for restricting the access of the authenticated user in the tunnel, and transmission means 13 for transmitting the set of allowed server TCP ports to the authenticated user.

One of ordinary skill in the art should understand that a user database 15, authentication means 11, port filtering means 12 are all implemented by well-known hardware circuits of the state of the art, including memory circuits, interface circuits, and a microprocessor that are configured and controlled, in order to work in accordance with the invention. The microprocessor executes program instructions that are loaded into memory and which instruct the hardware circuits to be configured and operate in accordance with various embodiments of the invention. The purpose of these program commands will be clear to a specialist in the field of programming after perceiving the studied content of this application.

Again, with reference to FIG. 1, an exemplary embodiment will now be described. Figure 1 shows an illustrative configuration in user database 15, which associates user X with a set of allowed TCP ports consisting of ports 80, 110, and 25. These ports are known to those skilled in the art as sockets for HTTP protocols (Hypertext Transfer Protocol) ), POP3 (mail protocol version 3) and SMTP (email forwarding protocol), respectively. Similarly, user Y is associated only with allowed ports 110 and 25. Thus, user Y’s access to corporate network 20 is configured with limited access to the mail server, while user X, in addition to access to the mail server, is also given the opportunity to access the Web Applications within the corporate network.

Wireless client 40 includes a client application configured to access a VPN tunnel provided by a gateway server. To access the tunnel, the client connects to the IP address of the VPN gateway server and the specific server TCP port of the tunnel. If the server TCP port for the tunnel is, for example, port 83, the client application will be preconfigured to connect to server TCP port 83 when accessing the VPN tunnel.

Next, operation of the embodiment shown in FIG. 1 will be described. According to the invention, the user database 15 is first configured by user-specific rules regarding access to server TCP ports using a VPN tunnel. As described above, this configuration involves associating different sets of allowed server TCP ports with different users. The resulting user database configuration in this embodiment is described above and, moreover, is shown in FIG.

When the user wants to access the corporate network, he uses the wireless client 40 and the IP address of the VPN gateway server 10 to connect to the server TCP port of the VPN gateway server 10 to connect to the server TCP port of the VPN tunnel, that is, in this case, port 83. By using this port to initiate an SSL encrypted connection between the client 40 and the gateway server 10, a secure VPN tunnel is created. The VPN gateway server 10 will then authenticate the user based on the authentication information and password transmitted by the user from the wireless client 40 via a TCP / IP connection to the server TCP port 83 of the tunnel. When the user is authenticated, the VPN gateway server retrieves the allowed server TCP ports associated with a specific user from the user database 15. The VPN server 10 then returns the client session number and the specific allowed server TCP ports to the wireless client application, for example, ports 80, 110, and 25 if the connecting user is user X described above. These server TCP ports are now only the ports allowed in the tunnel .

Having accepted the allowed server TCP ports from the VPN gateway server 10, the wireless client 40 will know which protocols should be used in the open secure tunnel. (If the allowed TCP ports were not well-known sockets, server 10 would also have to pass the client protocols for use with the allowed TCP ports). Now the user can start using applications that require protocols that comply with the protocols that can be used in connection with the allowed TCP ports. In a typical case, the client application will open the client side TCP port and transmit the request within the tunnel, which should be connected to the allowed server side TCP port. For example, user X may use a Web browser application (a Web browser for browsing the Internet) that opens the client side port 1077 and makes a request to become connected to the allowed server side TCP port 80. The client will forward this request to connect to the socket in the tunnel, that is, through the established connection, to TCP port 83 of the server side. All client requests for connecting to different sockets are thus directed to the same open connection of the server socket, that is, server TCP port 83 of the SSL encrypted secure tunnel.

Upon receiving data from a wireless client in a secure tunnel, the gateway server 10 decrypts the data and checks with the user database whether user X is allowed to use server TCP port 80 in the tunnel. When this is the case, the gateway server 10 will act as a client and establish a new separate TCP session by connecting to the TCP port 80 of the internal server that hosts the server process of the Web application on the corporate network. The gateway server 10 will then forward the decrypted user data as part of this separate TCP session.

Suppose now that user Y would like to launch a web browser application. According to the configuration, the gateway server 10 will prevent user Y from accessing the corporate network in this form. When user Y sends a request to connect to port 80 in the tunnel, the gateway server, after decrypting the received data, will detect that user Y is not allowed to use the requested server TCP port. Therefore, the gateway server 10 will not establish any TCP session on port 80 of the internal server, and no data will be forwarded to the corporate network. However, if user Y tried to access the mail server on the corporate network, such access could be provided by the gateway server 10, since this would involve server TCP ports allowed for use by user Y in the tunnel (ports 25 and 110 ) Thus, the gateway server 10 restricts user Y access to the corporate network.

With reference to FIG. 2, another illustrative embodiment of the invention will now be described. In this embodiment, the user database is configured to provide additional user-specific rules for accessing the corporate network. The configuration and access to the VPN tunnel correspond to those already described with reference to FIG. Moreover, all the elements in figure 2, having the design and operation corresponding to those of the elements in figure 1, are denoted by the same reference symbols as used in figure 1.

The allowed server TCP ports associated with the user in this embodiment are the allowed client side server TCP ports, which in the user database 25 are associated with the corresponding server side server TCP ports. Upon receipt of the request via the VPN tunnel to connect to the allowed server TCP port, the gateway server 10 will establish a new TCP session by connecting to the server side of the associated TCP server port. User data received in a secure tunnel and having a client-side TCP server port authorized as the destination of information will then be forwarded to the server-side TCP server port associated with it.

In addition, the client side server TCP port of each user is associated with an IP address, allowing the same client side server TCP port number of different users to be associated with different IP addresses.

Figure 2 shows an illustrative configuration, which includes users X and Y. Again, it is understood that applications on the corporate network use user port numbers in accordance with the generally accepted method for using these numbers, that is, port 25 for SMTP, port 110 for for POP3, port 80 for HTTP and port 53 for domain name service server applications. With the configuration of FIG. 2, user X is allowed to use client-side TCP server ports 25, 26, 110, and 112 to access applications of different mail servers having different IP addresses.

After user X is authenticated, the VPN gateway server transmits the allowed client side TCP server ports to the wireless terminal 40 operated by user X over a secure tunnel. User X then knows which ports that are allowed should be used. If the port number were not a well-known socket, the gateway server would also transmit to the user a port-specific protocol that should be used with a particular port. Alternatively, the wireless client is preconfigured with which protocols to use with different port numbers.

From the configuration of the user database 25 of FIG. 2, it can be seen that user X is allowed to access the processes of two different POP3 servers located at two different IP addresses 10.114.2.1 and 10.114.2.2 on the corporate network by using two different server TCP ports 110 and 112 of the client side in conjunction with the POP3 protocol in the tunnel. As indicated in FIG. 2, traffic in a secure tunnel from user X using client side server TCP port 110 will be forwarded through a TCP connection to IP address 10.114.2.1 and server side TCP port 110, while traffic using server TCP port 112 of the client side will be forwarded to the TCP connection to the IP address 10.114.2.2 and TCP port 110 of the server side.

User Y, on the other hand, is allowed to use only client server TCP ports 25 and 110. Thus, access to user Y's mail server on the corporate network is limited by server-side TCP ports on the server side used for POP3 and SMTP by a mail server with IP address 10.114.2.2. Thus, the same server TCP port number of the client side of two different users, that is, port number 110, at this moment is associated with the same server side TCP port number, but with different IP addresses. Thus, the gateway server is able to forward user data from different users who use the same data transfer protocol to the TCP ports of the server side of the recipients of information with different IP addresses.

User X is also allowed to use the server TCP ports 80 and 53 of the client side associated with the corresponding TCP ports of the server side and the IP addresses of the Web server application or the domain name service server on the corporate network. User Y does not have any client-side ports associated with server-side ports for Web server applications or domain name service server applications. Thus, user Y’s access to the corporate network is limited to access only the mail server.

It should be noted that the above detailed description of various embodiments of the invention was given only as an illustration, and that, therefore, they do not intend to limit the scope of the invention, as it is defined by the attached claims. Mostly it should be understood that the features of the various mainly described embodiments can be combined to create new embodiments that fall within the scope defined by the appended claims.

In addition, it should be understood that other changes and modifications falling within the scope defined by the attached claims, and within the essence set forth in the materials of this application, will become apparent to experts in the art when studying the claims and detailed description.

Claims (14)

1. A method for providing, through a server (10) gateways of a virtual private network (VPN), rules for wireless access over a secure tunnel connection to a corporate network (20), the method including the steps of configure the database (15, 25) of the server user data to provide user-specific rules for access via a secure tunnel connection, the configuration includes the step of associating different specific users with the corresponding sets of allowed server TCP ports; authenticate a user connecting to a secure tunnel connection; and restrict the authenticated user’s access to the corporate network (20) by sending only user data received via a secure tunnel, which, as the addressee of information, has a port that is included in the set of allowed server TCP ports associated with the user in the database (15, 25 ) user data, while the allowed TCP server ports associated with a particular user are the allowed client TCP server ports, and the configuration step includes a step in which the user data base (25) is configured so as to associate the allowed server TCP port of the client side with the server TCP port of the server side, the method including the step of forwarding user data received over the secure tunnel to server TCP port of the server side, associated with the allowed server TCP port of the client side, through a separate TCP connection, in which connection the gateway server acts as a client, and the configuration step includes the stage at which the user data base (25) is configured so as to associate different allowed server TCP ports of the client side that are associated with a particular user with the same TCP port of the server side, but with different corresponding IP addresses, the method includes the step of sending user data received over the secure tunnel to the IP address associated with the allowed server TCP port of the client side. 2. The method according to claim 1, comprising the step of configuring the secure tunnel so that it is associated with a specific server TCP port of the gateway server (10). 3. The method according to claim 1, in which the configuration step includes configuring the database (25) so as to associate different allowed server TCP ports of the client side with server TCP ports of the server side of different email servers having corresponding IP addresses. 4. The method according to claim 1, in which the configuration step includes configuring the database (25) so as to associate the allowed server TCP port of the client side with the server TCP port of the server side and the IP address of the corporate DNS servers within the corporate network. 5. The method according to claim 1, which includes transmitting to the authenticated user, through a secure tunnel, a set of allowed TCP server ports that are associated with the authenticated user in the user data base (15, 25). 6. The method according to claim 5, in which the configuration step includes configuring the user data base (15, 25) so as to associate a specific port protocol with an allowed server TCP port, which is a specific port specific protocol transmitted along with the authorized server TCP port to an authenticated user. 7. The server (10) of the gateways of the virtual private network (VPN), which provides rules for wireless access via a secure tunnel connection to the corporate network (20) and includes a database (15, 25) of user data that provides user-specific rules for access over a secure tunnel connection by preserving associations between different specific users and the corresponding sets of allowed server TCP ports; authentication means (11) for authenticating a user connecting to a secure tunnel connection; port filtering means (12) for restricting authenticated user access to the corporate network (20) by sending only user data received over a secure tunnel, which, as an information destination, has a port that is included in the set of allowed server TCP ports associated with the user in the database (15, 25) of user data, while the allowed server TCP ports associated with a specific user are the allowed server TCP ports of the client side, and the curled database (25) of user data associates the allowed server TCP port of the client side with the server TCP port of the server side, the filtering port is configured to forward user data received via a secure tunnel to the server TCP port of the server side associated with the allowed server The TCP-port of the client side, on a separate TCP connection, in which connection the server (10) acts as a client, while the database (25) of user data associates different allowed servers Black TCP ports of the client side, which are associated with a specific user, with the same server TCP port of the server side, but with different corresponding IP addresses, while the port filtering tool is configured to forward user data received over a secure tunnel, to the IP address associated with the authorized server TCP port of the client side. 8. The gateway server according to claim 7, wherein the secure tunnel is connected to a specific server TCP port of the gateway server (10). 9. The gateway server of claim 8, in which the database (25) of the data associates different allowed server TCP ports of the client side with server TCP ports of the server side of different email servers having corresponding IP addresses. 10. The gateway server according to claim 7, wherein the user data base (25) associates the allowed server TCP port of the client side with the server TCP port of the server side and the IP address of the corporate DNS server within the corporate network. 11. The gateway server according to claim 7, including transmission means for transmitting to the authenticated user, through a secure tunnel, a set of allowed server TCP ports that is associated with the authenticated user in the user data base (15, 25). 12. The gateway server according to claim 11, wherein the user data base (15, 25) associates a port-specific protocol with an allowed server TCP port, wherein said transmission medium is configured to transmit a port-specific protocol together with an allowed server TCP port to authenticated user. 13. A virtual private network (VPN) system, including a corporate network (20); a server (10) of gateways of a virtual private network (VPN) in accordance with any one of items 7-12 for providing wireless access via a secure tunnel connection to a corporate network (20); and at least one wireless client terminal (40), the client terminal is configured to use a separate server TCP port and IP address when connecting VPN gateways to the server (10) via a tunnel connection and a specific set of server TCP ports within a tunnel connection when accessing a corporate network (20 ) 14. The system of claim 13, wherein the wireless client terminal (40) is configured to receive server TCP ports to be used within the tunnel connection from the gateway server (10) in response to an authentication message transmitted to the server ( 10) gateways.

Images