[go: up one dir, main page]

WO2002001832A1 - Dispositif et procedes servant a filtrer l'acces a un reseau informatique dans un systeme de telecommunication - Google Patents

Dispositif et procedes servant a filtrer l'acces a un reseau informatique dans un systeme de telecommunication Download PDF

Info

Publication number
WO2002001832A1
WO2002001832A1 PCT/IB2001/000601 IB0100601W WO0201832A1 WO 2002001832 A1 WO2002001832 A1 WO 2002001832A1 IB 0100601 W IB0100601 W IB 0100601W WO 0201832 A1 WO0201832 A1 WO 0201832A1
Authority
WO
WIPO (PCT)
Prior art keywords
access
server
network
terminals
bearer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/IB2001/000601
Other languages
English (en)
Inventor
Pasi Pentikainen
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nokia Inc
Original Assignee
Nokia Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Inc filed Critical Nokia Inc
Priority to AU2001250560A priority Critical patent/AU2001250560A1/en
Publication of WO2002001832A1 publication Critical patent/WO2002001832A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/04Protocols specially adapted for terminals or networks with limited capabilities; specially adapted for terminal portability
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Definitions

  • This invention relates generally to methods and devices for providing access by network terminals in a telecommunication system to a computer network that manages the telecommunication system. More particularly, the invention relates to devices and methods for allowing or denying access to a computer network in a telecommunication system by network terminals in the telecommunication system before the messages are input to the computer network. Such devices are commonly referred to as a "firewall”.
  • a data communication protocol is implemented which seamlessly translates internet messages sent according to internet protocols, for example the hypertext transport protocol ("http"), to a protocol recognized and understood by the wireless system in use.
  • http hypertext transport protocol
  • WAP Wireless Access Protocol
  • the WAP protocol is described in several documents such as, for example, Wireless Application Protocol Architecture, Version 30 - April 30, 1998, published by the Wireless Application Protocol Forum, Ltd. , the teachings of which are incorporated herein by reference; and Wireless Application Protocol, Wireless Application Environment Specification Version 1.1 (May 24, 1999), the teachings of which are also incorporated herein by reference .
  • firewall Regardless of which messaging protocol is used to translate the http messages to messages understandable by the wireless system, it has become increasingly necessary to devise ways in which unwanted users or terminals in the system can be denied access to the wireless network. This is necessary since the proliferation of users of the internet has caused requests for access to many wireless systems to be overwhelming, thereby reducing the ability of the wireless systems to perform their functions and to operate efficiently.
  • Various solutions have been attempted in the past to restrict access to telecommunication networks. "Firewall” products, known • to those skilled in the art, have ' been employed to prevent unauthorized users or clients to create protocol traffic on the network. The problem with prior art firewalls is that they have been implemented as separate devices which raise the costs of the telecommunication system and which require separate maintenance and care.
  • firewall products have typically been "transport bearer specific," i.e., they are individually usable only with the particular message bearer protocol for which they are designed. Thus, for example, if Transport Control Protocol/Internet Protocol
  • TCP/IP Transmission Control Protocol/IP
  • UDP/IP User Datagram Protocol/Internet Protocol
  • systems and methods configure a computer network that includes a plurality of terminals to either accept or deny access to the network of particular network terminals.
  • the request for access is then screened before the request is input to a server in the network. If the request is from a terminal that is allowed access to the network, then that particular message is input to the network and the terminal from which that message was received is given access to the network. However, if the request is from a terminal that has been denied access to the network, the message output from the denied terminal is not allowed access to the network.
  • the inventive systems and methods greatly facilitate the efficient use of server processing time and compute cycles. Additionally, since the access requests are screened before the requests are input to the server, the access requests are analyzed at the protocol bearer level of the network, thereby allowing messages of any protocol to be efficiently screened. This also eliminates the need for separate firewalls for screening messages to be maintained in the network which greatly reduces the costs and complexities of the network.
  • Figure 1 is a block diagram of a server architecture which implements the systems and methods of the present invention for screening access to a wireless network
  • Figure 2 is a flow chart of a preferred method for screening unwanted messages from entering a wireless system in accordance with the present invention.
  • FIG. 1 is a block diagram of a gateway server hierarchy 10 which implements the inventive ' systems and methods.
  • server 10 may be embodied in software alone, or may also be implemented as a separate processor for performing the server functions to be described in more detail below.
  • server 10 may implement any particular protocol or protocols necessary for translating, implementing or otherwise enabling Internet or wireless communications .
  • server 10 implements the WAP protocol described briefly above and therefore server 10 will be referred to throughout as WAP server 10. While the preferred embodiment of the invention has been .
  • any other protocol which is usable in a hybrid internet/wireless network may implement the inventive systems and methods with equal efficacy.
  • the present invention is applicable to any such protocol but, for illustrative purposes, will be described throughout with respect only to the WAP protocol .
  • the WAP server 10 preferably comprises a wireless protocol stack (WPS) 20 which provides access control functionality for the server 10 after a security manager has defined which network terminals are to be given access to the WAP server 10 as will be described in more detail below.
  • WPS wireless protocol stack
  • bearer adapters 30 are placed below WPS 20 and access the several bearers through bearer drivers 40. The bearer adapters 30 provide all of the required functionality to interpret wireless messages which will be received by the WAP server 10.
  • bearer adapter 30 is any particular wireless protocol in which a message can be sent for processing by the WAP server 10.
  • bearer adapters 30 may be a short message signaling (SMS) phone bearer adapter CSD bearer adapter 70, a CIMD Nokia short message signaling center (SMSC) bearer adapter, an IS-95 bearer adapter and/or any other bearer adapter which is needed to support message receipt and processing by WAP server 10.
  • SMS short message signaling
  • CSD bearer adapter adapter 70 a CIMD Nokia short message signaling center (SMSC) bearer adapter
  • IS-95 bearer adapter IS-95 bearer adapter
  • the bearer adapter functions as an adaptation layer or tunnel that maps the WDP protocol functions directly onto a specific bearer.
  • the adaptation layer is different for each bearer and deals with the specific capabilities and characteristics of that particular bearer service. Moreover, at WAP server 10, the adaptation layer terminates and passes the WDP packets onto a WAP proxy server (not shown in Figure 1) via a tunneling protocol which is the interface between the WAP server 10 that supports the bearer service and the WAP Proxy server.
  • the bearer adapters 30 are thus components that connect WAP server 10 to a wireless network. To support a number of different bearers, WAP server 10 will thus need to have a number of different bearer adapters 30 as shown. All data from a WAP terminal comes to the WAP server 10 through bearer drivers 40 and respective bearer adapter 30. After traversing the bearer adapter 30, the data enters WAP stack 20 which includes the necessary protocol layers to recognize the data. In accordance with the invention, license control is provided by license control module 50. Thus, data entering the WAP server 10 is screened by license control module 50 before is enters the protocol stack 20. To accomplish this salutary result, a bearer gateway 60 which includes license control module 50 is provided between WPS 20 and the bearer adapters 30.
  • bearer gateway 60 performs license control, i.e., access to the WAP server 10 by terminals, and checks if every incoming data packet has access rights or not. If the packet has access rights, it is allowed to proceed to the WPS 20. If the packet does not have access rights, it is discarded.
  • the packets received by WAP server 10 are constructed in accordance with a service primitive provided by the WDP specification.
  • the service primitive comprises, among others, the following parameters :
  • the Source Address is the address of the sender and is the unique address of the device making a request to the WDP layer.
  • the source address may be a Mobile Station ISDN (MSISDN) number, an IP address (given as numbers or symbols), an X.25 address, or some other identifier.
  • MSISDN Mobile Station ISDN
  • IP address given as numbers or symbols
  • X.25 address or some other identifier.
  • the length of the Source Address parameter may vary according to what the source is.
  • the Source Port is the application address or port number associated with the source address of the requesting communication instance.
  • the port number of the sender is a 16-bit number.
  • the User Data is the data carried by the WDP protocol .
  • the unit of data submitted to or received from the WDP layer is also referred to as the Service Data Unit. This is the complete unit (message, packet, package) of data which the higher layer (at the sender) has submitted to the WDP layer for transmission.
  • the WDP layer will transmit the Service Data Unit and deliver it to its destination without any manipulation of its content.
  • Source Address and Source Port parameters are part of a header portion of a WAP message and the User Data is the actual payload of data of the message.
  • bearer gate 60 will read both the Source Address and the Source Port information in every data packet that is received at the bearer gate through the bearer adapters 30.
  • Each combination of a client address (Source Address) and a client port (Source Port) makes up a concurrent session and thereby requires one license.
  • the licenses for access by a terminal to the WAP server 10 are calculated on a session basis.
  • concurrent sessions are controlled from the same license source.
  • license control in accordance with the invention determines how many sessions are allowed to execute transactions concurrently.
  • this time window is about ten minutes in length. This means that when a session is established, one license is reserved for every combination of allowed Source Address and Source Port. If no data arrives at the WAP server 10 during the session and in the time window then the license is released. The next time in the session that a transaction is requested from the Source Address and Source Port combination, a new license is needed, i.e. that data in the session is allowed to pass the bearer gateway 60 only if there still is a free license for that license holder.
  • server 10 further comprises a content filters module 100 and a content sources module 110.
  • the content filters module 100 comprises various encoders, decoders, converters and other functional software modules necessary to filter messages being received by WAP server 10 from the internet.
  • WML wireless mark-up language
  • WMLS wireless mark-up language script
  • HTTP hypertext mark-up language
  • content sources module 110 provides an interface for content sources to be read and processed • by the WAP server 10.
  • http sources and other types of Internet protocol (IP) sources are handled and input through the content source module 110 to the WAP server 10.
  • the WAP server 10 also preferably comprises a universal interface (UI) module 70 which includes the required graphical, command and other interfaces so that users can access the WAP server 10.
  • UI universal interface
  • a server manager 80 handles all of the appropriate overhead issues associated with managing each of the software modules in WAP server 10 and particularly interfaces with the bearer gateway 60 to facilitate license control and access to the WPS 20.
  • Other interfaces 90 are provided so that WAP server 10 can communicate with other elements in the wireless network.
  • the WAP server 10 may be implemented in software in an appropriate environment . Whichever software environment is chosen to implement the inventive access control methods disclosed herein, Figure 2 depicts a flow chart of a preferred form of the method.
  • the method may be implemented as a "point and click" process commonly known to those familiar with modern server functionality.
  • other input devices such as a standard keyboard may be used to choose software selections for access control implementation, especially when other than a simple menu-driven system with icons is utilized.
  • the method begins at step 100 and at step 110 it is determined whether the particular terminal requesting access is "blacklisted" from the system. To be blacklisted means that under no circumstances shall access to the WAP server 10 ever be granted to this terminal and so at step 120 access is denied. It is then determined at step 130 if access to the WAP server is being requested from a known terminal, i.e. one that during the session a license for access has been granted. If so, then at step 140 access to this terminal is granted. If not, then at step 150 it is determined if the terminal requesting access is an unknown terminal, i.e. a terminal not previously granted a license to the WAP server in a session, and if access for the unknown is allowed.
  • access control to the WAP server 10 is efficiently controlled before messages, data or other datagrams actually reach the WAP server.
  • the computational overhead required to process messages in the WAP server is greatly diminished. This contributes to enhanced server and network performance, and reduces the computation costs associated with the server. Such results have not heretofore been achieved in the art.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Systèmes et procédés servant à filtrer l'accès à un serveur de protocole d'accès sans fil (WAP) et permettant de filtrer des messages reçus de terminaux ne possédant pas d'autorisation d'accès au serveur WAP avant l'entrée réelle de ces messages dans ce serveur WAP. Un gestionnaire de sécurité effectue la configuration du serveur afin d'accepter ou refuser l'accès à ce serveur WAP aux terminaux au moyen de l'entrée de numéros d'identification de terminal autorisé dans une pile de protocoles WAP (WPS) à laquelle on accède afin de déterminer si les terminaux demandant l'accès sont enregistrés sur une liste d'accès autorisés. Si l'accès est autorisé, les messages sont entrés dans le serveur WAP, mais si l'accès est refusé, ces messages ne sont pas autorisés à accéder au serveur WAP. Le filtrage des messages, préalablement à leur entrée dans le serveur WAP, permet d'améliorer considérablement l'efficacité de ce serveur, étant donné qu'il n'est pas nécessaire de traiter les messages dont l'accès est refusé.
PCT/IB2001/000601 2000-06-26 2001-04-09 Dispositif et procedes servant a filtrer l'acces a un reseau informatique dans un systeme de telecommunication Ceased WO2002001832A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2001250560A AU2001250560A1 (en) 2000-06-26 2001-04-09 Device and methods for screening access to a computer network in a telecommunication system

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US60341100A 2000-06-26 2000-06-26
US09/603,411 2000-06-26

Publications (1)

Publication Number Publication Date
WO2002001832A1 true WO2002001832A1 (fr) 2002-01-03

Family

ID=24415317

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2001/000601 Ceased WO2002001832A1 (fr) 2000-06-26 2001-04-09 Dispositif et procedes servant a filtrer l'acces a un reseau informatique dans un systeme de telecommunication

Country Status (2)

Country Link
AU (1) AU2001250560A1 (fr)
WO (1) WO2002001832A1 (fr)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2389483A (en) * 2002-04-11 2003-12-10 Apoapsis Ltd Wireless monitoring for performance and security of network
EP1552414A4 (fr) * 2002-06-10 2010-11-24 Akonix Systems Inc Systemes et procedes pour passerelle de protocoles
US8195833B2 (en) 2002-06-10 2012-06-05 Quest Software, Inc. Systems and methods for managing messages in an enterprise network

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1999056431A2 (fr) * 1998-04-28 1999-11-04 Nokia Mobile Phones Limited Procede et reseau pour le traitement des sessions du service de protocole de session sans fil
US5991810A (en) * 1997-08-01 1999-11-23 Novell, Inc. User name authentication for gateway clients accessing a proxy cache server
WO2000022794A2 (fr) * 1998-10-13 2000-04-20 Nokia Mobile Phones Limited Acces a l'ordinateur d'un serveur
WO2001003368A1 (fr) * 1999-06-30 2001-01-11 Nokia Corporation Controle d'acces a un serveur de passerelle

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5991810A (en) * 1997-08-01 1999-11-23 Novell, Inc. User name authentication for gateway clients accessing a proxy cache server
WO1999056431A2 (fr) * 1998-04-28 1999-11-04 Nokia Mobile Phones Limited Procede et reseau pour le traitement des sessions du service de protocole de session sans fil
WO2000022794A2 (fr) * 1998-10-13 2000-04-20 Nokia Mobile Phones Limited Acces a l'ordinateur d'un serveur
WO2001003368A1 (fr) * 1999-06-30 2001-01-11 Nokia Corporation Controle d'acces a un serveur de passerelle

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2389483A (en) * 2002-04-11 2003-12-10 Apoapsis Ltd Wireless monitoring for performance and security of network
EP1552414A4 (fr) * 2002-06-10 2010-11-24 Akonix Systems Inc Systemes et procedes pour passerelle de protocoles
US8195833B2 (en) 2002-06-10 2012-06-05 Quest Software, Inc. Systems and methods for managing messages in an enterprise network

Also Published As

Publication number Publication date
AU2001250560A1 (en) 2002-01-08

Similar Documents

Publication Publication Date Title
EP1493290B1 (fr) Systeme et procede de gestion de terminal de donnees sans fil via un reseau de service radio general a commutation par paquets
CN100421484C (zh) 在具体使用gsm标准的移动电话网络上处理和发送数字数据的方法和嵌入式微芯片系统
KR100458917B1 (ko) 서버 컴퓨터에 액세스하는 방법
US7451476B1 (en) Method and apparatus for interfacing a network to an external element
CN1244076A (zh) 用于管理无线数据网络中一组移动台的方法和结构
HK1042189A1 (zh) 利用通信系統中本地資源的方法
EP1886455B1 (fr) Systeme et procede pour acceder a un serveur web sur un dispositif pourvu d'une adresse ip dynamique se trouvant dans un pare-feu
JP2004528767A (ja) ベアラ識別タグ及びその利用方法
US6757734B1 (en) Method of communication
JP4778708B2 (ja) Gprs及びgsm接続による通信装置の管理
US7193995B1 (en) License control at a gateway server
FI111586B (fi) Siirtosovittimen hallinta yhdyskäytäväpalvelimessa
JP2005529550A5 (fr)
EP1338971B1 (fr) Procede et terminal d'acquisition des logiciels securises
FI108694B (fi) Yhteyskahva
FI111318B (fi) Sovellusten käyttö tietoliikennejärjestelmässä
WO2002001832A1 (fr) Dispositif et procedes servant a filtrer l'acces a un reseau informatique dans un systeme de telecommunication
EP1488657B1 (fr) Procede d'echange de donnees specifiques a des utilisateurs, d'un reseau mobile vers une application de service d'un fournisseur de services externes, au moyen d'un code d'identification d'utilisateur d'application unique
Ruggaber et al. Using WAP as the enabling technology for CORBA in mobile and wireless environments
CN1586085B (zh) 启动无线通信终端应用程序的方法及实现该方法的终端
KR100689736B1 (ko) 통합형 기지국의 망 중개 장치 및 그 방법
CN117914925A (zh) 一种线上业务管理系统及业务处理方法
HK1073203B (en) System and method for wireless data terminal management using general packet radio service network

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AL AM AT AU AZ BA BB BG BR BY CA CH CN CR CU CZ DE DK DM EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
ENP Entry into the national phase

Ref document number: 10763901

Country of ref document: BG

Kind code of ref document: A

Format of ref document f/p: F

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP